March  2014  www.cso 


Systems? 

mu**  **mu  «».«' 


Old,  outdated  and 
'  forgotten  systems  and 
software  may  pose  big  risks 
to  your  organization  26 


c 


TECH:  Android  vs.  iOS:  Which  mobile 
software  is  the  most  secure?  6 


RISK:  CSO  2.0:  How  to  take  your  security 
program  to  the  next  level  14 

LEAD:  The  7  best  habits  of  effective 
security  pros  20 


INTEGRATES 

WITH 

EXISTING 

INFRASTRUCTURI 


in  one  solution 


SAFE  is  an  innovative  software  solution  that  integrates  diverse 
security  systems  with  identity  management  onto  a  unified 
policy-based  platform.  SAFE  ensures  that  every  employee, 
contractor,  vendor  and  visitor  has  clearly  defined  and  controlled 


management  and  reporting  features.  It's  the  most  efficient  way 


your  enterprise  in  order  to  maintain  compliance  24/7 
Make  your  world  SAFE  with  Quantum  Secure. 


mm 

■ 

viSK&sassL  -  mBBmsffl  §&  ffluoijan&m 

,  ,  i 

w*  •fckJJL 

|y|kr,  m\ 

.... 

1  ■  M 

m 

quantumsecure.com  •  info@quantumsecure.com 

QUANTUM  SECURE 


Cover  illustration  by  Gary  Neill 


Forgotten 
Risks  Hide 
in  Legacy 
Systems 


4 


■  Also  Inside 

2  Editor’s  Letter 
4  Publisher’s  Letter 


26  Investing  in  new 
tools  and  solutions 
and  making  sure 
they’re  doing  their 
job  may  be  top-of- 
mind  in  your  security 
department,  but 
older,  less-used 
systems  could  be 
quietly  costing  you 
money  and  putting 
you  at  risk 


BY  MARIA  KOROLOV 


32  By  the  Numbers:  Identity  Fraud 


March  2014  www.csoonline.com  1 


14  Take  Your  Work  to  the  Next  Level 

15  Users  Are  Still  the  Weakest  Link  in  the 
Security  Chain,  Studies  Show  Once  Again 

16  Threat  Modeling  Helps  You  Keep  Your 
Company  a  Step  Ahead  of  the  Risks 

18  CSOs  Feel  the  Pressure  Mount  Every  Year 


lead 


20  The  7  Best  Habits  of  Effective  Security  Pros 

24  Where’s  the  Harm?  The  Real  Conversation  We 
Need  to  Have  About  Target  and  Other  Breaches 

25  Social  Security:  Industry  Chatter  on  Twitter 


last 


March  2014  Volume  13,  Number  2 


tech 

6  Wanted:  An  Enterprise-Friendly 
Mobile  Operating  System 

8  It  Doesn’t  Matter  What  the  Dumbest 
Password  Is,  People  Will  Keep  Using  It 

9  Hackers’  New  Tricks  Offer  More 
Success  With  Less  Work 

10  Google  Tackles  Chrome’s  #1  Flaw 

12  Microsoft’s  Decision  to  Stop 
Supporting  Windows  XP  Puts  Retailers’ 
Point-of-Sale  Systems  at  Risk 


Time  to  Clean  Out  Your  Old  Systems 

Do  you  ever  get  the  feeling  that  you’re  forgetting  something? 
It’s  an  all-too-common  hunch  for  those  of  us  who  lead  busy  lives. 
Was  there  a  bill  you  forgot  to  pay?  Or  an  important  email  you 
neglected  to  reply  to?  Or  maybe  there  was  a  crucial  meeting  you 
were  expected  to  attend. 


All  those  little  details  are  sitting  out  there,  in 
the  recesses  of  your  brain,  threatening  to  foul 
things  up  for  you  if  you  lose  track  of  them. 

This  is  an  increasingly  common  problem  for 
security  managers,  too.  But  for  them,  it’s  not 
just  forgetting  an  important  email  or  a  crucial 
meeting  that  can  ruin  their  day.  They  can  also 
be  tripped  up  by  the  old,  outdated  and  forgot¬ 
ten  legacy  system  no  one  is  using  anymore  that 
threatens  to  make  a  mess  of  things  in  their 
organization. 

As  your  systems  and  infrastructure  become 
more  advanced  and  complex,  the  older,  simpler 
programs  from  several  years  ago  become  less 
vital  and  eventually  unnecessary.  They  may  sit, 
untouched  and  unattended,  for  months-even 
years— before  some  industrious  crook  figures 
out  this  system  is  sitting  there,  ripe  for  the  pick¬ 
ing,  and  makes  a  move  to  exploit  it. 

As  CSO  contributor  Maria  Korolov  points  out 
in  her  feature  story  this  month,  some  of  these 
systems  are  so  out-of-date  that  the  personnel 
once  responsible  for  managing  them  are  no  lon¬ 
ger  with  the  company,  ramping  up  the  risk  fac¬ 
tor  and  creating  the  potential  for  a  big  crisis  if 
someone  with  nefarious  intent  does  gain  access. 

March  signals  the  end  of  winter  and  the 
start  of  spring-the  perfect  time  for  some  good, 


old-fashioned  housecleaning.  Why  not  take 
the  time  this  year  to  put  your  legacy  systems 
on  your  to-do  list?  Take  stock  and  make  sure 
nothing  risky  is  hanging  out  there  (with  factory- 
issued  passwords  still  intact)  just  waiting  to  be 
taken  advantage  of  this  year. 

Once  you’ve  taken  inventory  of  what  you’ve 
got,  and  taken  the  time  to  update,  or  perhaps 
even  decommission,  older  systems,  you  can 
rest  just  a  bit  easier-ready  to  for  the  fresh  start 
spring  offers  each  year. 

-Joan  Goodchild,  Editor, 
jgoodchild@cxo.com 


(SO  (ISSN  1540-904X)  is  published  monthly  except  for  a  combined  issue  in  July/August  and  December/January  by  CXO  Media  Inc.,  492  Old  Connecticut  Path.  P.0.  Box 
9208,  Framingham,  MA  01701-9208.  Periodical  Postage  Rate  at  Framingham,  MA  01701,  and  at  additional  mailing  offices.  Canadian  Publications  Mail  agreement  number 
1902075.  Canadian  Postmaster:  Please  return  undeliverable  copy  to  P.0.  Box  1632,  Windsor,  ON  N9A  7C9.  Copyright  2011  by  CXO  Media  Inc.  All  rights  reserved.  Reproduction 
of  material  appearing  in  CSO  is  forbidden  without  written  permission.  Permission  to  photocopy  for  internal  or  personal  use  or  the  internal  or  personal  use  of  specific 
clients  is  granted  by  CSO  for  users  through  the  Copyright  Clearance  Center,  provided  that  a  fee  of  $3.50  per  copy  of  the  article  is  paid  directly  to  Copyright  Clearance 
Center,  222  Rosewood  Drive.  Danvers.  MA  01970.  www.copyrlght.com.  Please  specify:  ISSN  1540-904x.  Permission  to  photocopy  does  not  extend  to  contributed  articles— 
followed  by  this  symbol: }.  Address  inquiries  to  CSO,  P.0  Box  3482,  Northbrook,  II  60065: 866  354-1125.  CSO  is  free  to  qualified  security  executives.  To  all  others  the 
one-year  basic  rate  is  $70  for  the  United  States  and  Canada,  $95  to  foreign  countries  (payable  in  U.S.  funds  only).  The  single  copy  price  is  $9  to  the  U.S.  and  Canada  and 
$15  International.  Please  allow  four  to  six  weeks  for  new  subscriptions  to  begin.  Change  of  Address:  Go  to  www.omeda.com/custsrv/cso  and  follow  the  online  instructions. 
Postmaster:  Send  change  of  address  to;  CSO.  P.0.  Box  3482,  Northbrook,  1L  60065.  Printed  in  the  USA. 


2  www.csoonline.com  MARCH  2014 


Editor 

Joan  Goodchild 
igoodchild@cxo.com 
508  988-7994 
Twitter:  @msjoanieg 

Senior  Editor 

Grant  Hatchlmonji 
ghatchimonii@cxo.com 

Staff  Writer 

Steve  Ragan 
sragan@cxo.com 
Twitter:  @)SteveD3 

Senior  Editor,  Copy  and  Production 

Colleen  Barry 

Art  Director 

Steve  Traynor 

Editorial  Administrator 

Pat  Josefek 

Research  Manager 

Carolyn  Johnson 

Contributors 

Taylor  Armerding,  David  Geer, 
Antone  Gonsalves,  George  V.  Hulme, 
Jeremy  Kirk,  John  P.  Mello  Jr., 
Lauren  Gibbons  Paul,  Bob  Violino 

Editorial/Advertising/ 
Business  Offices 

492  Old  Connecticut  Path, 
P.O.Box  9208 

Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 

Subscriber  Services 

Phone:866  354-1125 
Fax:847  564-9453 
cso@omeda.com 

IDG  Enterprise 

An  IDG  Communications  Company 

International  Data  Group 
Chairman  of  the  Board 

Patrick  J.  McGovern 

IDG  Communications,  Inc. 

CEO 

Michael  Friedenberg 

/?BRA 

WORLDWIDE" 


forescout.com 


If  Muhammad  Ali  were  a  Network  Security  Solution 
He’d  be  ForeScout  CounterACT™ 


Lightening  quick.  Knock-out  punch. 

Access  and  device  diversity,  dynamic  exposures  and  advanced  threats.  No  problem. 

Just  as  Muhammad  Ali  was  a  boxing  game-changer,  ForeScout  has  changed  the  game  of  network 
security.  Leveraging  our  ControlFabric™  technology,  ForeScout  delivers  the  continuous  monitoring 
and  mitigation  necessary  to  enable  business  agility  without  compromising  defenses. 

Be  a  game  changer.  Check  us  out  at  forescout.com/gamechanger. 

Complete  Network  Visibility  and  Control.  Any  Device.  Anywhere. 

See  us  at  CS040  Security  Confab  +  Awards  Conference 


ForeScout 


©  2014  ForeScout  Technologies  Inc.  I  MUHAMMAD  ALI  and  associated  marks  are  trademarks  of  Muhammad  Ali  Enterprises  LLC  ©  MAE  LLC  Represented  by  GreenLight. 


The  Internet  of  Things  Junk 


I’m  taking  a  look  at  the  Internet  of  Things,  and  from  the 
standpoint  of  security,  what  I’m  seeing  looks  like  crap. 


The  Internet  of  Things  refers  to  a  still-hypo¬ 
thetical  interconnected  world  in  which  all  sorts 
of  devices  are  online.  A  utopian  vision,  this  web 
of  devices  that  are  constantly  sharing  informa¬ 
tion  with  each  other  is  meant  to  simplify  our 
lives.  When  you’re  running  low  on  eggs  and  milk, 
your  refrigerator  will  know  and  tell  the  grocery 
store  so  it  can  add  them  to  your  next  delivery. 
(It’s  all  a  little  too  much  like  The  Matrix,  if  you 
ask  me.  I’m  troubled  when  Quicken  reminds  me 
it’s  time  to  pay  a  bill  that’s  only  due  once  a  year. 
But  I  guess  that's  where  things  are  going.) 

The  problem,  though,  is  that  like  with  many 
enterprise  technologies,  we're  racing  ahead 
with  adoption  and  security  is  an  afterthought. 
We  can’t  wait  to  buy  them,  get  them  connected, 
and  let  them  do  what  we  were  promised  they 
would  do:  Make  life  more  efficient.  Isn't  that 
why  people  are  installing  Nest  thermostats? 
Hook  it  up,  connect  it  to  Wi-Fi,  download  the 
app  to  your  iPhone,  and  voila,  life  is  better! 

But  what  happens  when  these  tools  turn 
against  us?  Despite  the  Matrix  reference,  I’m 
less  concerned  about  them  becoming  self- 
aware  than  I  am  about  them  getting  a  little 
input  from  outside  influencers.  Your  Nest  knows 
you’re  not  home,  so  it  goes  into  Away  Mode. 
That  saves  you  energy,  which  cuts  your  heating 
bill,  which  lessens  global  warming  and  saves 
the  polar  bears-whatever  floats  your  boat. 

Now  what  if  a  thief  can  find  out  when  your  Nest 
goes  into  Away  Mode?  It  might  seem  to  them 
like  a  good  time  to  break  into  your  house. 

We’ve  been  moving  toward  this  intercon¬ 
nected  world  for  years  now.  Target  just  learned 


the  hard  way  that  the  Internet  of  Things  af¬ 
fects  enterprises  too.  System  automation  (in 
this  case,  a  networked  HVAC  system)  provided 
criminals  with  a  nice  conduit  into  Target’s  enter¬ 
prise  systems.  I  didn’t  see  that  coming.  Should 
have,  but  didn’t.  In  this  case,  it's  a  supply- 
chain  risk  coupled  with  command-and-control 
vulnerability. 

Unless  we  begin  to  treat  all  of  our  devices, 
boxes  and  technologies  as  hostile  by  default, 
we  will  continue  to  find  ourselves  cleaning  up 
the  havoc  wrought  by  adversaries  with  poor  in¬ 
tentions  and  friends  with  good  ones. 

Problem  is,  when  it  comes  to  everyone  being 
prepared,  the  skeptic  in  me  starts  rearing  its 
ugly  head.  But  we  can  always  hope. 

-Bob  Bragdon,  publisher 
bbragdon@cxo.com 


Advertiser  Index 

Cisco  Systems,  Inc . C4 

CSO .  11, 13, 23,  CB 

ForeScout  Technologies  Inc . 3 

Quantum  Secure  Inc . C2 

RSA,  the  Security  Division  of  EMC . 5 


Executive  Committee 

CEO  Matthew  Yorke 
Executive  Assistant  to 
the  CEO  Nelva  Riley 
SVP  of  Human  Resources 
Patricia  Chisholm 
SVP  of  Events  Ellen  Daly 
SVP  &  Chief  Content 
Officer  John  Gallant 
SVP  of  Digital  Brian  Glynn 
SVP  of  Strategic  Programs  & 
Custom  Solutions  Group  Charles  Lee 
SVP  &General  Manager, 

Online  Operations  Gregg  Pinsky 
Chief  Digital  Officer  Pete  Longo 
SVP  of  DEMO  Neil  Silverman 
SVP  &  COO  Matthew  Smith 
President,  CIO  Executive 
Council  PamStenson 
SVP  of  Digital,  & 

Publisher  SeanWeglage 

Sales 

Publisher  Bob  Bragdon 
East  Coast  Regional  Director, 
Integrated  Sales  Roz  Burke 
Sales  Director  -  West  Mary  Hazelton 
Account  Executive  Kelsey  Scheidemantel 
Account  Coordinator  Max  Crystal 

Integrated  Media  and  Online  Sales 
East  Coast  Online  Regional  Sales 
Manager  Richard  Hartman 
West  Coast  Online  Regional 
Sales  Manager  Erika  Karr 
Central  Online  Regional  Sales 
Manager  Carmen  Facas 
VP  of  Business  Development 
&  Digital  Media  Bill  Rigby 
VP  of  Digital  Account 
Services  Danielle  Thorne 

Production 

VP  Production  Services  Chris  Cuoco 
Production  Manager  Heidi  Broadley 

Marketing 

Vice  President,  Marketing  Sue  Yanovitch 
Marketing  &  PR  Manager  Lynn  Holmlund 

List  Services 

Contact  Steve  Tozeski  of  IDG  List  Services 
at  508  820-8106  or  stozeski@idgtist.com 

Reprints  &  Permisions 

For  information  about  reprints  and 
copyright  permissions,  please  contact 
The  YGS  Group,  800-290-5460,  ext.  100, 
csofStheygsgroup.com 


4  www.csoonline.com  MARCH  2014 


Webb  Chappell 


EXECUTE 

p  ADVERTORIAL 

B 

i/V 

D 

0 

N 

11 

r 

David  Raissipour 

VICE  PRESIDENT,  FRAUD, 
AUTHENTICATION  AND 
IDENTITY,  RSA 

Raissipour  leads  RSA's 
authentication  and  mo¬ 
bile  technologies  teams, 
with  the  ultimate  goal  of 
unifying  Identity  solutions 
across  consumer  and 
enterprise  markets. 


FOR  MORE  INFORMATION 

visit  www.rsa.com 


CSO 

Custom  Solutions  Group 


Navigating  the  Changing 
Security  Landscape 

RSA  on  Mobility,  Identity,  Cloud,  and  the 
Future  of  Endpoint-Enabled  Security 


To  protect  enterprise  data  in  the  cloud-enabled, 
mobility-driven  present,  businesses  need  to  leave 
old  security  paradigms  behind.  Fortunately,  RSA 
says,  the  future  is  already  almost  here. 

Why  are  passwords  still  important? 

Passwords  remain  important  not  because  they’re 
strong  or  protective— they  never  have  been— but 
because  they're  simple.  In  our  increasingly 
digital-dependent  lives,  the  average  user  has  25 
identities.  That’s  a  lot  to  keep  track  of,  so  people 
tend  to  reuse  their  passwords,  which  in  turn 
leads  to  major  password  compromises.  As  these 
compromises  become  larger  and  more  visible, 
awareness  of  the  shortcomings  of  passwords  is 
spreading.  Many  solutions  that  would  be  more 
secure  are  also  more  complicated  for  the  end 


handles  your  banking  transactions.  Look  for  a 
solution  with  the  flexibility  to  match  your  level 
of  risk,  and  the  ability  to  evolve  and  adapt  to 
risk  without  endless  updates.  It  should  support 
different  kinds  of  authenticators,  different  kinds 
of  devices,  and  varying  levels  of  technical  savvy 
among  users.  It  should  scale  to  support  mobility 
and  cloud  as  your  organization  continues  to 
move  in  that  direction. 

How  will  user  identities  be  managed  in  the 
cloud-based  world? 

Standards  like  SAML  and  solutions  that  help  us¬ 
ers  manage  and  federate  single  sign-on  across  the 
enterprise  and  cloud  are  becoming  increasingly 
important,  but  organizations  also  need 
to  consider  permissions  and  entitlements 


Technology  is  progressing  to  the  point  that  well  soon  be 
able  to  replace  passwords  with  something  more  secure 
and  also  more  user  friendly 


user,  but  technology  is  progressing  to  the  point 
that  we’ll  soon  be  able  to  replace  passwords 
with  something  more  secure  and  also  more 
user  friendly. 

where  is  mobile  security  headed? 

RSA  sees  more  compelling  and  intuitive  ways 
to  verify  and  authenticate  users  by  leveraging 
capabilities  already  present  in  today’s  smart¬ 
phones.  For  example,  using  local  biometric 
verification  to  the  device  using  cameras  and  voice 
recording  for  biometrics,  GPS  for  proximity  com¬ 
parison  to  typical  locations  of  use,  are  some  of  the 
other  ways  to  capture  typical  behavioral  usage 
patterns.  As  for  securing  devices,  there’s  a  grow¬ 
ing  ecosystem  of  developers  and  vendors  focus¬ 
ing  on  giving  enterprises  greater  control  through 
mobile  app,  container,  and  device  management, 
all  while  retaining  the  device's  full  usability. 

What  should  organizations  look  for  in  an 
authentication  solution? 

There  are  different  levels  of  risk.  The  portal 
where  people  register  for  a  marketing  campaign 
doesn’t  need  the  same  security  as  the  app  that 


at  the  user  level.  You  need  to  base  individual 
access  to  cloud  resources  on  business  need, 
manage  access  from  a  central  place,  federate 
it  across  all  applications,  and  change  permis¬ 
sions  to  cloud  providers  as  easily  as  to  internal 
infrastructure.  The  trend  of  using  a  single  social 
login  to  access  multiple  cloud  services  also  opens 
the  possibility  of  “BYOI”— bringing  your  own 
identity— to  the  enterprise  and  having  permis¬ 
sions  for  enterprise  resources  overlaid  on  it,  with 
a  trusted  intermediary  providing  identity  control 
across  use  cases. 

What's  in  common  for  all  these  changes? 

You  need  to  secure  the  user,  ensure  the  right 
user  is  accessing  the  device  or  cloud  service  in 
the  right  context,  and  protect  the  enterprise  data 
wherever  it  resides  in  such  a  way  that  it  can  be 
controlled  and  eventually  removed.  There’s  no 
reason  to  create  separate  silos  where  your  enter¬ 
prise,  cloud  and  mobile  apps  are  each  managed 
differently.  We  believe  the  future  involves  using 
existing  methodologies  and  solutions  to  provide 
access  that  doesn’t  require  the  end  user  to  enter 
six  different  credentials. ■ 


6  www.csoonline.com  March  2014 


Wanted:  An  Enterprise-Friendly 
Mobile  Operating  System 

Security  pros  have  been  debating  the  issue  for  years,  but  when  you  compare  Android  and  iOS, 
is  either  system  notably  more  secure  than  the  other?  by  george  v.  hulme 


WITH  MILLIONS  OF  NEW  ANDROID 
and  iOS  devices  pouring  into  the  enterprise 
every  quarter,  it's  important  to  know  just  how 
much  risk  these  devices  bring  with  them- 
and  whether  one  mobile  OS  has  an  edge  over 
another  when  it  comes  to  securing  enterprise 
applications  and  data. 

When  just  looking  at  malware  trends,  the 
easy  assumption  may  be  that  iOS  is  the  safer 


platform.  A  Department  of  Homeland  Secu¬ 
rity  and  Department  of  Justice  report  pub¬ 
lished  last  year,  for  example,  found  that  only 
0.7  percent  of  all  mobile  malware  targeted 
iOS,  compared  to  the  79  percent  that  took 
aim  at  Android. 

But  there’s  much  more  to  securing  mobile 
devices  than  just  straightforward  malware 
tallies.  In  addition  to  standard-grade  spyware 


and  other  forms  of  malware,  enterprises  need 
be  concerned  about  attacks  that  specifically 
target  their  users  and  partners,  and  they  have 
to  comply  with  many  industry  and  govern¬ 
ment  regulations. 

That’s  quite  the  challenge,  so  to  make  it 
slightly  easier,  we're  examining  whether  one 
of  the  two  most  popular  mobile  OSes  is  more 
secure  than  the  other. 


... 


mi 


wm 


Jon  Fingas/Flickr 


Android  Makes  Headway 

Many  contend  that  Apple’s  iOS  is  a  more  se¬ 
cure  system,  but  Brian  Katz,  director  and  head 
of  mobility  engineering  at  Sanofi,  doesn’t 
agree.  Not  completely,  anyway.  “There  are 
great  aspects  of  iOS  security  that  are  built- 
in,  but  you  still  have  to  take  steps  to  enable 
those  secure  features,”  Katz  says.  “You  can’t 
just  start  letting  people  use  iPhones  to  access 
enterprise  assets  and  think  they  are  more  se¬ 
cure  because  it's  iOS.” 

Jay  Leek,  SVP  and  CISO  at  The  Blackstone 
Group  agrees-somewhat.  For  several  years 
now,  the  private  equity  firm  has  supported 
only  iOS  for  its  enterprise  mobile  devices. 

That  decision  was  largely  driven  by  the 
fact  that  the  company  had  security  concerns 
about  the  other  mobile  OSes,  as  well  as  by  the 
popularity  of  iOS  with  Blackstone's  employ¬ 
ees.  Soon,  however,  Blackstone’s  IT  team  will 
be  being  supporting  Android.  Not  all  Android 
devices,  but  those  that  have  been  identi¬ 
fied  as  securable,  such  as  Samsung’s  secure 
mobile  OS,  Samsung  Knox. 

“Whether  iOS  is  more  secure  than  Android 
is  tough  to  answer.  First,  it  depends  on  the 
Android  hardware  you’re  comparing  it  to. 
Samsung  has  done  the  most  for  Android 
when  it  comes  to  their  hardware  integrat¬ 
ing  with  some  of  the  Android  security  hooks. 


That’s  why,  while  we  will  support  Android, 
we’re  not  going  to  support  Android  broadly, 
we’re  going  to  support  Android  on  certain 
devices,”  says  Leek. 

And  it’s  this  type  of  tight  hardware  integra¬ 
tion  that  gives  Apple  the  advantage,  for  now. 
"It  only  has  one  hardware  platform  that's 
married  with  the  operating  system.  It’s  opti¬ 
mized,”  says  Leek.  “There  just  doesn’t  exist 
that  level  of  control  with  Android  manufac¬ 
turers,  and  it’s  something  we’re  very  con¬ 
cerned  about.  Whether  it’s  the  integration 


of  the  operating  system  with  the  hardware 
or  the  applications  in  the  application  stores. 
The  concern  is  about  data  being  siphoned  off, 
having  the  microphone  turned  on  remotely,  or 
any  number  of  other  things  that  might  tran¬ 
spire  that  the  user  is  not  aware  is  happening.” 

When  it  comes  to  security  controls,  both 
Android  and  iOS  have  made  strides  recently 
in  the  native  capabilities  of  their  operating 
systems.  For  starters,  iOS  7  enables  enter¬ 
prises  to  choose  which  apps  must  connect 
through  the  corporate  VPN  to  gain  access, 
provides  enhanced  mobile-device-manage¬ 
ment  (MDM)  support,  encrypts  data  held  in 
third-party  apps,  accepts  single  sign-on  and 
provides  built-in  biometric  authentication. 

With  Android  4.4  (a.k.a.  KitKat),  tighter 
access-control  is  built  in  to  the  Linux  ker¬ 
nel,  along  with  increased  support  for  digital 
certificate  security  warnings,  Elliptic  Curve 
Cryptography  support,  and  automated  help 
with  identifying  buffer  overflows.  Additionally, 
hardware-vendor-supported  security  capabili¬ 
ties,  such  as  Samsung  Knox,  have  been  built 
on  top  of  the  Android  OS.  Knox  purports  to 
provide  a  more  secure  booting  process,  cre¬ 
ates  a  trusted  zone  for  enterprise-only  appli¬ 
cations,  and  has  a  security-enhanced  kernel. 
Knox  also  limits  what  features  can  run  in  the 
protected  area  of  the  device. 


“The  difference  with  Android  devices  is  that 
each  manufacturer  has  their  own  APIs  and 
they’re  all  managed  differently,”  says  Katz. 

“So  there  are  different  calls  to  get  to  these 
unique  APIs,  which  means  you  actually  have 
to  work  with  the  different  management  ven¬ 
dors  to  make  the  APIs  useful,"  Katz  explains. 
This  can  cause  confusion  among  the  devices. 

“The  number  of  security  controls,  and  their 
granularity,  within  Knox  is  both  a  pro  as  well 
as  a  con.  They’ve  done  a  very,  very  good  job 
of  building  controls.  But  with  more  than  400 


controls  and  more  than  1,000  APIs  supporting 
them,  these  options  can  very  easily  introduce 
more  complexity,"  he  says. 

Pick  a  Security  Strategy, 

Not  an  OS 

By  mid-year,  Leek  hopes  to  have  an  MDM 
system  in  place  that  will  help  enforce  security 
policies  on  The  Blackstone  Group’s  incom¬ 
ing  Android  devices.  “We  will  be  evaluating 
mobile  applications  and  taking  an  inventory 
of  apps  on  peoples’  phones,”  Leek  explains. 
“We  will  be  testing  those  apps,  and  if  we  find 
things  that  are  not  desirable,  or  we  feel  that 
something  is  potentially  exposing  Blackstone, 
we  will  take  remediative  actions  until  the 
issue  is  fixed,”  Leek  explains. 

That  vetting  won’t  just  be  for  Android 
devices,  but  will  be  done  for  iOS  devices  as 
well.  “The  same  principles  need  to  be  applied 
to  iOS.  I  believe  we  are  less  likely  to  have  prob¬ 
lems  with  iPhones,  but  I  wouldn’t  be  surprised 
if  we  uncovered  a  fair  amount  of  security  chal¬ 
lenges  with  iOS  apps,”  he  says. 

Katz  largely  agrees,  and  argues  that  when 
it  comes  to  allowing  mobile  devices  on  the 
network,  it  has  to  be  determined  device-by- 
device,  or  according  to  a  managed  bring- 
your-own-device  policy.  “Certain  devices 
get  full  access  to  the  environment  because 
of  the  controls  you  can  have  in  place,  while 
others  would  be  given  limited,  or  even  no 
access.  That  decision  would  be  based  on  the 
basic  security  controls  that  can  be  placed  on 
the  device,”  says  Katz.  “This  way  people  can 
choose  whatever  [device]  they  want,”  but  the 
network  is  still  protected,  he  says. 

That’s  the  ideal  outcome  for  enterprises 
and  end  users  alike:  optimal  security  for 
enterprise  apps  and  data  and  optimal  choice 
in  personal  devices  and  applications  for  users. 
And  with  popular  apps  like  Starbucks  and 
Snapchat  facing  security  problems,  it’s  impor¬ 
tant  to  build  that  wall  between  enterprise 
and  consumer  before  things  get  too  much 
further  out  of  hand. 


■  George  V.  Hulme  is  a  freelance  security 
and  technology  writer  based  in  Minnesota. 
Follow  him  on  Twitter  @georgevhulme. 


“Whether  iOS  is  more  secure  than  Android 
is  tough  to  answer.  First,  it  depends  on  the 
Android  hardware  you’re  comparing  it  to.” 

-JAY  LEEK,  SVP  AND  CISO,  THE  BLACKSTONE  GROUP 


March  2014  wwiv.csoonHne.com  7 


SALTED  HASH 


It  Doesn't  Matter  What  the  Dumbest 
Password  Is,  People  Will  Keep  Using  It 


I  WANTED  TO  AVOID  THIS  STORY,  BUT 
I  can’t.  Passwords  are  still  the  core  authenti¬ 
cation  method  used  in  the  home  and  office 
today,  and  while  solutions  exist  to  replace 
them,  it’s  not  going  to  happen  anytime  soon. 

SplashData,  a  company  that  makes  its 
money  by  developing  password-management 
applications,  has  created  a  new  list  of  dumb 
passwords.  Surprisingly,  “password”  isn’t  at 
the  top  of  the  list,  “123456”  is. 

This  story  got  a  lot  of  attention,  but  it 
doesn’t  matter  what  the  dumbest  password 
is,  because  it’s  still  dumb,  and  people  will  still 
keep  using  it.  But  for  the  sake  of  context,  here 
are  the  10  dumbest  passwords,  as  chosen  by 
SplashData: 


123456 

■  123456789 

password 

■  111111 

12345678 

■  1234567 

qwerty 

■  iloveyou 

abcl23 

■  adobe!23 

The  company  says  they  compiled  this  list 
by  crunching  the  data  from  files  “containing 


millions  of  stolen  passwords”  posted  online 
over  the  past  year.  However,  many  of  the 
entries  also  appeared  on  SplashData’s  list  in 
2011  and  2012,  when  the  company  released 
similar  reports. 

From  the  looks  of  it,  the  passwords  on 
the  list  come  from  the  breaches  at  Adobe, 
RockYou.com,  and  Gawker.  Minor  breaches  in 
2013  revealed  similar  passwords,  but-with 
the  exception  of  the  those  from  Adobe-all 
the  other  passwords  have  been  appearing  on 
dumb-password  lists  for  years. 

So  what  do  reports  like  SplashData’s  tell 
us?  As  security  professionals,  they  tell  us 
nothing  we  didn’t  already  know.  Lists  like  this 
one  only  show  that  people  continue  to  chose 
weak  passwords. 

The  reason  people  pick  these  poorly 
developed  passwords  is  that  they’re  easily 
remembered.  Moreover,  in  most  cases  users 
pick  weak  passwords  because  the  application 
or  process  they’re  required  to  use  them  on 
has  no  personal  value  or  meaning.  Thus,  the 
poorly  crafted  password  is  a  throwaway. 


A  perfect  example  of  this  is  “adobel”  from 
the  SplashData  list.  It  was  likely  chosen 
because  it  is  easy  to  remember  and  meets  the 
password  requirements  dictated  by  policy,  but 
an  Adobe  account  isn’t  all  that  valuable  to 
most  people,  at  least  not  when  compared  to 
a  banking  or  social  media  account.  The  same 
can  be  said  for  all  the  passwords  that  had 
“Stratfor”  in  them  when  that  site’s  password 
list  was  revealed  a  while  back. 

Traditionally,  organizations  control  pass¬ 
words  two  ways:  policy  and  training.  Policy 
enforces  password  lengths,  variables  and 
expiration,  while  training  is  supposed  to  help 
users  select  strong  passwords  that  are  not 
easily  cracked  using  the  aforementioned  lists. 
But  the  problem  is  that  people  can’t  remem¬ 
ber  overly  complex  passwords  or  phrases,  and 
they’ll  still  select  throwaway  passwords  for 
sites  and  services  they  deem  unimportant. 

This  is  where  I’d  try  to  offer  solutions  to 
problems  associated  with  passwords.  I  can’t, 
though,  because  passwords  have  been  a 
problem  for  years  and  there’s  no  single 
solution.  There  are  options  on  the  market 
for  addressing  these  issues,  but  it’s  often 
cheaper  and  easier  to  stick  to  what  works 
and  assume  the  risk. 

SplashData,  obviously,  says  password 
managers  are  a  perfect  solution.  That’s 
expected,  given  the  nature  of  its  business, 
but  it’s  not  wrong.  The  problem  is  that  most 
businesses  cannot  use  password  managers  for 
various  reasons,  mostly  due  to  overhead  and 
support.  Yet  I’ve  been  in  businesses  where 
password  managers  are  used  with  great  suc¬ 
cess,  so  it  can  happen.  It  depends  on  the  busi¬ 
ness  itself,  really. 

If  you  have  a  solution  that  works,  some 
sort  of  training  or  software  that  you’re  using 
in-house,  I’d  like  to  hear  about  it.  Feel  free  to 
email  me  at  sragan@cxo.com. 


8  www.csoonline.com  MARCH  2014 


Thinkstock 


v*M. 


■'1 


#  "b  .«»t 

*  tna  »«• 

•  as  at. 

•  / 


<ss  of  tba  . - 

in*  '  TMj  cb< 


L  OCfc.tKt 

i*r  at,,- 
acaav,n|r-  ktJfW *** 
>ulo  nttW1** 


->ecb  a*t  **  Q) 

i*  <sifiaim% 


nt  i> 

u_4(it 

ruct  v(H„) 
struct  pcb  •  peft’> 

Jruct  pcb.,o*t  ■» 

rue’  «0#t_S«qrr 


i 


wet  v$h  u  1  -3  y  —  v  > 
’’struct  j  ,  ' 


t-  9S«  adflrass 

ou»raMtt*n» 

-P»  */ 

v  sawal  •/ 

•‘tor  p  r  a  s  e  n  t  » 7 

ii  sirs  */ 


cop  n’t 


ace  tocati 
w 


Hackers’  New  Tricks  Offer  More  Success  With  Less  Work 


HACKER  GROUPS  INCREASINGLY  COMPROMISED  INDUS- 
try  websites  in  2013  in  an  attempt  to  load  malware  onto  the 
computers  of  employees  of  targeted  companies  and  government 
agencies,  a  global  threat  report  found. 

The  strategy,  called  a  “watering  hole”  attack,  was  used  as  a 
more  effective  alternative  to  using  phishing  to  get  employees  to 
click  a  link  to  an  infected  website,  according  to  CrowdStrike’s  year- 
in-review  study.  Compromising  the  sites  frequented  by  employ¬ 
ees  raised  the  infection  rate  while  reducing  the  amount  of  work 
required  for  success. 

With  phishing,  the  hackers  have  to  research  the  targeted  groups 
of  employees  so  they  can  design  a  convincing  message,  says  Dmitri 
Alperovitch,  co-founder  and  CTO  for  CrowdStrike. 

“If  you  do  this  for  thousands  of  people  that  you  want  to  po¬ 
tentially  compromise,  it  takes  quite  a  bit  of  effort  from  a  human 
involvement  perspective,”  he  says.  A  watering  hole  attack  “allows 
you  to  scale  these  operations  for  compromising  a  whole  slew  of 
targets  all  at  once.” 

CrowdStrike  based  its  findings  on  the  more  than  50  groups  it 
tracked  last  year,  many  of  which  conducted  effective  watering  hole 
attacks.  Owners  of  the  sites  compromised  included  The  Council  of 
Foreign  Relations,  Capstone  Turbine,  and  Napteh  Engineering  and 
Development  Co. 

Hacking  groups  in  Russia  and  China  were  particularly  fond  of 
watering  hole  attacks.  A  Chinese  group  that  CrowdStrike  calls  Em¬ 
issary  Panda  targeted  foreign  embassies,  while  a  group  called  En¬ 
ergetic  Bear,  which  has  ties  to  the  Russian  government,  focused  on 
Western  targets  within  the  energy  industry. 

In  the  past,  Russian  groups  have  been  more  interested  in  military 


organizations.  Over  the  past  couple  years,  their  interests  have  shift¬ 
ed  to  stealing  intellectual  property  and  sensitive  documents  from 
Western  energy  companies.  Russia  is  a  major  oil  producer. 

“Traditionally,  we  have  seen  [economic  espionage]  from  the 
Chinese,  and  we’ve  also  started  seeing  that  from  the  Indians,”  Alp¬ 
erovitch  says. 

This  year,  CrowdStrike  expects  to  see  a  lot  of  hacker  groups  focus 
on  breaking  into  systems  running  Windows  XP,  which  Microsoft  will 
stop  supporting  in  April.  Hackers  are  expected  to  take  advantage 
of  the  absence  of  regular  vulnerability  patches  to  create  malware 
targeting  previously  unknown  exploits  in  the  OS. 

As  a  result,  CrowdStrike  is  predicting  a  rise  in  XP  infections  in  the 
second  and  third  quarters  of  this  year. 

“You’re  going  to  have  a  very  vulnerable  population,”  Alperovitch 
says.  “A  lot  of  these  machines  are  in  enterprises  and  a  lot  them  are 
running  point-of-sale  terminals  in  retailers,  so  you’re  going  to  have 
a  big  problem  on  your  hands.” 

As  of  December,  Windows  XP  was  running  on  29  percent  of  the 
computers  accessing  the  Internet,  according  to  Net  Applications. 

CrowdStrike  also  expects  to  see  malware  creators  increasingly 
encrypt  network  traffic  when  communicating  with  remote  servers. 
In  addition,  malware  is  expected  to  become  better  at  appearing  be¬ 
nign  in  order  to  bypass  sandboxes  meant  to  contain  malicious  code. 

Finally,  attackers  will  likely  launch  phishing  and  watering  hole 
attacks  that  are  designed  to  take  advantage  of  major  events  such 
as  the  Winter  Olympics,  the  World  Cup  and  the  G20  Summit,  a 
gathering  of  finance  ministers  and  central  bank  governors  from  20 
major  economies. 

-Antone  Gonsalves 


March  2014  www.csoonline.com 


ii  Tech 


Google  Tackles  Chrome's  #1  Flaw 


GOOGLE  IS  BOLSTERING  ITS  DEFENS- 
es  against  what  it  says  is  the  number-one 
complaint  among  Chrome  users:  the  hijacking 
of  browser  settings  by  malicious  code  hid¬ 
den  in  free  downloads  such  as  screensavers, 
games  and  video  plug-ins. 

The  company  is  enhancing  the  Chrome 
feature  that  allows  users  to  reset  their 
browser  settings  to  their  original  defaults  in 
order  to  remove  all  malicious  plug-ins  and 
apps.  Besides  providing  the  reset  option, 
Google  will  also  alert  users  when  browser 
settings  have  been  changed  and  provide  the 
option  of  one-click  reset. 

“Alerts  about  when  a  Chrome  plug-in  is 


trying  to  change  browser  settings  are  one 
important  piece  of  a  defense  strategy  against 
malware,"  says  Stephen  Brunetto,  director 
of  product  management  at  security  vendor 
Trustwave. 

Hackers  will  often  try  to  change  browser 
settings  as  part  of  a  click-fraud  scheme  in 
which  the  new  settings  will  direct  users  to 
search  engine  pages  or  a  new  homepage. 

The  pages  typically  try  to  entice  visitors  to 
click  on  links  that  will  generate  a  profit  for 
the  attackers. 

Linus  Upson,  vice  president  of  engineering 
at  Google,  said  in  a  blog  post  that  the  number 
of  click-fraud  schemes  like  these  is  growing 


at  an  “alarming  rate.”  Further,  he  said,  "Set¬ 
tings  hijacking  remains  our  number  one  user 
complaint." 

The  alerts,  which  will  appear  at  the  bottom 
of  the  browser  window,  will  only  be  available 
on  computers  running  Windows. 

People  who  choose  to  use  the  reset  option 
will  afterwards  have  to  go  back  and  reactivate 
any  extensions,  apps  and  themes  they  had 
installed  before.  This  can  be  done  by  going  to 
the  Chrome  “Settings”  menu  and,  in  the  win¬ 
dow  that  opens,  looking  at  the  list  on  the  left 
side  of  the  page  for  “Extensions.” 

Some  types  of  hijacking  malware  are  par¬ 
ticularly  troublesome,  in  that  they  are  difficult 
to  remove,  and  in  some  cases  they  will  return 
a  short  time  later  to  change  the  browser  set¬ 
tings  again.  In  those  cases,  Upson  recom¬ 
mends  going  to  the  Chrome  help  forum  to  find 
more  information  about  how  to  remove  these 
stubborn  programs. 

The  enhancement  is  part  of  Google’s  Safe 
Browsing  feature  that  flags  websites  Google 
has  identified  as  malicious.  The  feature  auto¬ 
matically  prevents  downloads  from  those 
sites.  Google  says  it  flags  10,000  new  web¬ 
sites  everyday. 

For  businesses  and  consumers,  prevent¬ 
ing  users  from  visiting  malicious  websites  is 
key  to  defending  against  phishing  attacks, 
which  is  when  a  hacker  sends  email  designed 
to  trick  recipients  into  clicking  on  a  link  to  a 
compromised  site. 

“The  most  common  and  effective  security 
threats  facing  users  today  are  socially  engi¬ 
neered  malware  and  phishing  attacks,”  NSS 
Labs  said  in  its  2013  security  analysis  of  the 
major  browsers,  including  Chrome,  Internet 
Explorer,  Safari,  Firefox  and  Opera. 

Google’s  Safe  Browsing  tool  is  used  by 
Chrome,  Firefox  and  Safari,  which  all  came 
within  four  percentage  points  of  one  another 
as  the  top  three  browsers  for  catching 
malicious  websites.  Microsoft  IE  came  in  a 
distant  fifth,  13  percentage  points  behind 
first-place  Firefox. 

However,  browsers  are  continuously 
updated,  so  standings  often  vary  between 
studies. 

-Antone  Gonsalves 


10  www.csoonline.com  March  2014 


Thinkstock 


CSO  Forum  on  Linked  0 


Share  best  practices  and  insight 
and  discuss  your  challenges  with 
your  security  executive  peers. 

The  CSO  Forum  is  where  members  of  the  security 
community  can  connect  and  collaborate  to  move  their 
security  and  technology  initiatives  and  careers  forward. 

If  you  are  a  senior  security  or  IT  professional,  we’d  love 
to  have  you  join— apply  for  membership  today. 

Visit  linkedin.com  click  Groups  and  search  for  “CSO  Forum’’ 

Facilitated  by  CSOOnline.com  and  CSO  Magazine 

CSO 

BUSINESS  RISK  LEADERSHIP 


CSO  Forum 


Reuters/Beck  Diefenbach 


ii  Tech 


www.csoonline.com 


12 


MARCH  2014 


Microsoft's  Decision  to  Stop  Supporting  Windows  XP 
Puts  Retailers’  Point-of-Sale  Systems  at  Risk 


skills  in  order  to  target  POS  sys¬ 
tems,”  the  report  said. 

Security  experts  theorize  that 
POS  hackers  are  either  attacking 
the  terminals  directly  from  the 
Internet  or  are  finding  another 
way  into  company  networks 
by  exploiting  other  software 
vulnerabilities. 

Companies  handling  pay¬ 
ment  card  data  are  required  by 
Visa  and  MasterCard  to  follow 
industry  security  practices,  known 
as  the  Payment  Card  Industry 
Data  Security  Standard.  Those 
standards  recommend  but  do 
not  require  retailers  to  isolate 
networks  that  handle  card  data, 
Symantec  explained. 

POS  systems  must  be  accessed 
for  software  updates,  the  export 
of  business  data  such  as  pur¬ 
chase  orders  and  inventory,  and 
to  connect  with  external  pay¬ 
ment  processors,  the  report  said. 

"While  a  strictly  controlled  and 
completely  isolated  POS  system 
network  would  be  quite  secure,  it 
is  too  impractical  for  serious  con¬ 
sideration,”  the  report  said. 

Orla  Cox,  senior  manager  of 
Symantec’s  Security  Intelligence 
Delivery,  wrote  on  the  company’s 
blog  that  card  theft  attacks  are 
likely  to  continue  because  “stolen 
card  data  has  a  limited  shelf  life.” 

“Credit  card  companies  are 
quick  to  spot  anomalous  spend¬ 
ing  patterns,  as  are  observant 
card  owners,”  she  wrote.  “This 
means  that  criminals  need  a 
steady  supply  of  ‘fresh’  card  num¬ 
bers."  -Jeremy  Kirk. 

IDG  News  Service 


“This  event  will  certainly  place 
POS  operators  under  increased 
risk  of  a  successful  attack,  and 
POS  operators  should  already 
have  mitigation  plans  in  place 
to  meet  this  coming  deadline,” 
Symantec’s  report  said. 

Cybercriminals  infected 
Target's  and  Neiman  Marcus’s 
systems  with  malware,  which  col¬ 
lected  unencrypted  payment  card 
details  after  a  customer’s  card 
was  swiped.  In  December,  Target 
said  40  million  payment  card 
records  were  compromised,  along 
with  70  million  other  records, 
making  it  one  of  the  largest 
reported  data  breaches  on  record. 


Neiman  Marcus  said  up  to  1.1 
million  cards  were  compromised 
between  July  and  October  2013, 
but  it  opted  to  notify  all  custom¬ 
ers  who  have  shopped  at  its 
stores  since  January  2013. 

RSA,  the  security  division  of 
enterprise  software  vendor  EMC, 
said  it  found  119  POS  terminals 
belonging  to  45  retailers,  32  of 
which  are  based  in  the  U.S.,  may 
be  infected  with  malware. 

Since  the  POS  terminals  run 
Windows,  it’s  easy  for  hackers  to 
repurpose  other  Windows  mal¬ 
ware  to  suit  their  needs,  Syman¬ 
tec  wrote.  “This  means  that 
attackers  do  not  need  specialized 


RETAILERS  WILL  FACE  AN 
increased  risk  of  data  breaches 
after  Microsoft  ends  support  for 
Windows  XP,  a  version  of  which 
powers  the  majority  of  modern 
cash  registers,  security  vendor  Sy¬ 
mantec  warned  in  a  recent  report. 

Many  point-of-sale  (POS) 
devices  run  the  Windows  XP 
version  of  Windows  Embedded, 
a  scaled-down  version  of  the 
operating  system  designed  for 
devices  such  as  set-top  boxes 
and  vehicle  computers.  Starting 
April  8,  Microsoft  will  end  support 
for  Windows  XP,  which  means 
it  will  no  longer  provide  security 
patches  for  the  13-year-old  OS. 


CSO’s  e-Mail  Newsletters 


Keep  Up  To  Speed 

On  the  Security  Issues  Important  to  You 
Delivered  right  to  your  desktop 


|7|  CSO  Update 


A  look  at  the  latest  security  news  and  analysis  on 
CSOonline.com,  delivered  three  times  a  week. 

[VI  CSO  Salted  Hash 

1 - 1  IT  security  news  and  analysis,  over  easy,  delivered  daily. 

[Vj  CSO  News  Watch 

' - '  A  recap  of  the  week’s  top  news  stories. 

|Vj  CSO  Career 

-  A  twice-monthly  newsletter  of  career  and  leadership- 

oriented  news,  articles  and  events  plus  job  postings. 

[VI  CSO  Tech  Watch 

' - ■  Twice-monthly  update  on  technologies  for  protecting  networks,  facilities 

employees,  intellectual  property  and  more. 

[7|  CSO  Security  Leader 

I  LJ  i  \  a  /~v  1/  I  \  ^  /~l  i  v"r\  I  ^4- 


-  Biweekly  leadership-related  articles  and  reports  from  CSO,  as  well  as  tips 

for  educating  employees  and  corporate  leadership. 

[Vj  CSO  Continuity  &  Recovery 

1  1  A  ■fxA/ir'A_m  Arvf  n  l\/  rr\\  / 1  r\\ a  /  A'f  m  ikl  irhArl  +  aa  AAA^n  i  n  a 


-  A  twice-monthly  review  of  published  material  concerning 

business  continuity  and  disaster  recovery. 

V]  Security  Research  &  Metrics 

A  monthly  roundup  of  useful  security  research,  benchmarks  and  statistics 

[Vj  CSO  Risk  Management 


A  monthly  roundup  of  strategies  and  tools  for  accurate  measurement  and 
prioritization  of  risks. 


Sign  up  now  for  CSO’s 
complimentary  e-mail  newsletters 
www.CSOonline.com/newsletters 


BUSINESS  RISK  LEADERSHIP 


METRICS 


GOVERNANCE 


COMPLIANCE 


ALL-HAZARDS 


Take  Your  Work  to  the  Next  Level 

Security  is  all  about  the  big  picture  now.  Here’s  a  look  at  how  the  ‘CSO  2.0’  is  different 
from  the  CSOs  of  the  past,  and  what  skills  you  need  to  be  one  by  george  viegas 


INFORMATION  SECURITY  IS  CHANG- 
ing  rapidly.  At  each  new  security  conference, 
it  seems  as  if  there  are  twice  as  many  new 
tools  and  new  vendors  as  there  were  at  the 
last  one.  Security  incidents  are  occurring  more 
often  and  with  increased  financial  or  reputa¬ 
tional  impact. 

At  the  same  time,  resources  for  security 
and  IT  remain  nearly  constant.  How  do  we  do 
more  with  less?  How  do  we  govern  in  a  rapidly 
changing  environment?  How  can  we  stay  in¬ 
tune  with  the  needs  of  the  business  and  make 
security  a  driver  of  change  rather  than  a  box 
to  check?  Here’s  a  quick  breakdown  of  what 
separates  the  traditional  CSO  from  the  sort  of 
CSO  who  can  succeed  in  2014  and  beyond. 

CSO  1.0 

■  Little  to  no  understanding  of  what  makes 
the  business  tick 

■  Focused  on  securing  the  external  network 
only 

■  Remains  in  the  information  security  domain 

■  Metrics  and  reporting  to  the  business  is  pri¬ 
marily  technical  and  security  based 

■  Relies  on  anti-virus  and  security  technol¬ 
ogy  only 

■  Adds  new  security  tools  because  they  are 
trendy  and  everyone  is  doing  it 

CSO  2.0 

BUSINESS 

■  Engages  with  and  understands  the  busi¬ 
ness:  Keeps  in  close  touch  with  peer 
business  leaders  and  maintains  points  of 
contact  and  feedback  loops  across  mul¬ 


tiple  levels  of  the  business  organization 

■  Uses  metrics  that  the  business  can  under¬ 
stand  because  they’re  risk-based  and  tied 
to  dollar  amounts 

■  Aligns  security  objectives  with  business 
goals,  even  trying  to  make  security  a  driver 
for  more  business 

TECHNICAL 

■  Treats  the  external  and  internal  network 
as  hostile:  With  the  proliferation  of  mobile 
devices  and  advanced  persistent  threats, 
the  internal  network  is  as  big  a  threat  as 
the  external  one;  add  SSL  for  critical  inter¬ 
nal  websites  as  you  would  on  external  sites 

■  Proactive  focus:  Focus  on  proactive  security 
measures  such  training  and  continuous  se¬ 
curity  scanning  of  production  systems 


INFORMATION  SECURITY 

MANAGEMENT 

■  Takes  a  risk-  and  compliance-based  secu¬ 
rity  approach  to  information  security:  Finds 
the  right  mix  of  security  tools  to  address 
business  risks  and  non-security  tools  such 
as  legal  agreements  for  risk  mitigation 

■  Uses  a  golistic  information  governance 
approach:  Works  with  other  data  gov¬ 
ernance  stakeholders  such  as  privacy, 
compliance  and  legal  to  create  a  cross¬ 
functional  approach  to  data  information 
and  asset  governance 


■  George  Viegas  is  director  of  information 
security  at  a  multinational  information  and 
media  company  in  California. 


14  www.csoonline.com  MARCH  2014 


Thinkstock 


Tony  Bradley,  Bradley  Strategy  Group 


BLOG  POST 


Users  Are  Still  the  Weakest  Link  in  the 
Security  Chain,  Studies  Show  Once  Again 


EVERYONE  IS  WORRIED 
about  cybercriminals  infiltrat¬ 
ing  their  network,  or  having  their 
servers  or  PCs  compromised  by 
malware.  And  they  should  be. 

But  it  might  surprise  you  to  learn 
that  the  greatest  risk  to  your 
network  and  PCs  is  actually  your 
own  users. 

If  you  look  back  at  the  big¬ 
gest  data  breaches  and  network 
security  incidents  of  the  past 
few  years,  it  seems  that  the  root 
cause  of  most-the  “patient 
zero”-is  the  actions  of  autho¬ 
rized  users.  Whether  they  do  it 
intentionally  or  accidentally, 
users  are  in  a  position  to  expose 
information  and  compromise  PCs 
with  a  single  errant  click. 

Many  users  are  not  com¬ 
pletely  ignorant  of  the  risks.  In 
organizations  with  an  IT  depart¬ 
ment,  users  are  often  conscious 
of  the  fact  that  there  is  someone 
there  to  catch  them  if  they  fall. 

They  intentionally  choose  to 
engage  in  riskier  online  behaviors 
when  using  company  PCs  from 
a  company  network-behav¬ 
iors  they  wouldn’t  dare  attempt 
on  their  home  PCs  where  they 
know  they're  responsible  for  troubleshooting  and  cleaning  up  after 
themselves. 

A  study  conducted  by  Osterman  Research  discovered  that  many  IT 
admins  are  concerned  about  the  potential  threat  introduced  by  user 
behavior.  The  risk  of  employees  introducing  malware  to  the  company 
network  was  cited  as  a  major  concern  by  more  than  half  of  those  sur¬ 
veyed.  Nearly  three-fourths  stated  that  their  network  has  been  pen¬ 
etrated  by  malware  as  a  result  of  Web  surfing,  and  almost  two-thirds 
declared  that  they  had  been  compromised  through  email,  just  in  the 
past  year. 


Often,  however,  the  risky  be¬ 
havior  is  really  just  a  side  effect  of 
attempts  to  work  more  efficient¬ 
ly.  For  example,  users  upload  files 
to  consumer-oriented  services 
like  Dropbox  so  they  can  continue 
working  on  them  from  home,  or 
know  that  they’ll  have  access  to 
important  data  while  visiting  a 
client  site. 

One  study  found  that  87  per¬ 
cent  of  executives  send  company 
data  or  emails  to  personal  cloud 
accounts  so  they  can  work  from 
home  or  on  the  road.  A  shocking 
58  percent  admit  that  they  have 
accidentally  sent  sensitive  data 
to  the  wrong  destination.  The  or¬ 
ganization  can  minimize  the  risk 
of  sensitive  data  being  exposed 
or  compromised  by  providing 
users  with  a  comparable  solution 
that  is  more  secure. 

User  awareness  remains  one  of 
the  most  effective  tools  available 
for  protecting  company  assets 
and  data.  Organizations  need 
to  make  sure  users  understand 
the  importance  of  protecting 
sensitive  data  and  safeguarding 
company  assets,  and  that  they’re 
aware  of  how  their  actions  affect 
the  overall  security  of  the  entire  organization. 

Stopping  there,  however,  is  a  recipe  for  disaster.  Users  will  continue 
to  circumvent  policies  and  find  a  way  to  get  things  done  despite  the 
IT  department.  It  is  equally  important  for  IT  personnel  to  engage  with 
users  to  understand  how  and  why  they  do  what  they  do.  Rather  than 
being  the  draconian  police  who  make  everyone’s  life  difficult,  IT  needs 
to  take  on  a  role  of  facilitating  and  enhancing  business  processes  by 
providing  users  the  tools  they  need  to  do  the  job  properly  and  securely. 
-Tony  Bradley  is  a  principal  analyst  with  the  Bradley  Strategy  Group, 
providing  analysis  and  insight  on  tech  trends. 


MARCH  2014  www.csoonline.com  15 


■  Risk 


Threat  Modeling  Helps  You  Keep  Your 
Company  a  Step  Ahead  of  the  Risks 


WITH  SIGNIFICANT  BREACHES  BE- 
coming  a  near-daily  occurrence,  it’s  clear 
that  attackers  are  managing  to  stay  one  step 
ahead  of  many  organizations  and  that  se¬ 
curity  professionals  and  CIOs  aren’t  focusing 
closely  enough  on  the  threats  and  the  data 
that  matter. 

Consider  the  findings  of  our  most  recent 
annual  Global  Information  Security  Survey, 
conducted  by  PricewaterhouseCoopers  and 
CSO.  Although  many  of  the  9,600  execs 
surveyed  said  that  their  organizations  had 
increased  IT  security  spending,  the  number 
of  attacks  they're  enduring  and  the  costs  of 
those  attacks  are  rising. 


So  it’s  not  so  surprising  to  learn  that  only  17 
percent  of  those  respondents  bother  to  clas¬ 
sify  their  business  use  of  data,  roughly  20  per¬ 
cent  have  procedures  dedicated  to  protecting 
intellectual  property,  and  only  a  surprisingly 
low  26  percent  inventory  assets  or  conduct 
asset  management. 

If  enterprises  are  to  improve,  they  need  to 
more  precisely  understand  the  actual  threats 
facing  their  organization  and  the  vulnerabili¬ 
ties  in  their  IT  enterprise. 

The  fix?  Threat  modeling. 

It’s  not  a  new  concept,  and  it's  one  we’re  all 
already  applying  on  a  personal  level. 

“We  all  conduct  risk  assessments  and 


threat  models  in  our  daily  lives,  whether  we 
think  about  it  or  not.  We  think  about  who 
might  want  to  break  into  our  car  and  the 
neighborhood  we’re  in.  So  we  do  it  all  the 
time  that  way,”  says  Wendy  Nather,  research 
director  of  the  enterprise  security  practice  at 
451  Research. 

We’re  not  always  good  at  this:  We  fear 
shark  attacks  more  than  accidents  around  the 
house,  for  example.  People  tend  to  get  more 
jittery  when  boarding  an  airplane  than  when 
getting  behind  the  wheel  of  their  car.  Emo¬ 
tions  take  over,  leading  to  flawed  risk  assess¬ 
ments,  and  the  same  problem  often  affects 
enterprises  as  well. 


16  www.csoonline.com  March  2014 


Thinkstock 


To  improve  their  decision-making,  orga¬ 
nizations  need  to  quantify  their  risks  as  best 
they  can. 

Eliminate  Emotion 

“From  an  organizational  perspective,  it’s 
important  because  a  business  needs  to  under¬ 
stand  who  and  what  the  threats  are,  just  as 
you  want  to  know  who  your  competitors  are 
and  who  might  pose  a  threat  to  you  in  that 
way,”  says  Eric  Cowperthwaite,  vice  presi¬ 
dent  of  advanced  security  and  strategy  at 
Core  Security  and  former  CISO  at  Providence 
Health  and  Services.  “Otherwise  the  CEO  is 
just  awash  in  all  of  the  fantasy  in  news  all  of 
the  time,”  he  says. 

Threat  modeling  is  not  a  new  concept  to 
some  industries,  such  as  banks,  financial  ser¬ 
vices,  and  those  in  critical  infrastructure  or  de¬ 
livery  of  critical  services. 

"Banks  have  done  threat  modeling  for  fraud 


forever,”  says  Nather.  "I  think  that  as  time  goes 
on,  though,  industry  has  learned  that  they  have 
to  threat  model  for  more  than  just  fraud." 

Makes  sense.  Business  conditions,  threats, 
and  vulnerabilities  are  always  changing,  per¬ 
haps  now  more  than  ever,  and  that  requires 
periodic  threat  models.  For  instance,  as  more 
of  their  customer  transactions  moved  online, 
banks  and  financial  services  companies  have 
had  to  reassess  the  security  of  customers' 
credentials  and  consider  how  they  could  be 
compromised,  and  even  wonder  how  their 
customers  themselves  may  try  to  commit 
fraud,  Nather  says. 

When  Cowperthwaite  was  the  CISO  at 
Providence  Health  and  Services,  he  says  they 
would  regularly  threat  model  to  better  under¬ 
stand  the  risks  the  organization  faced,  calm 
the  emotional  reactions  to  fast-breaking  secu¬ 
rity  news,  and  focus  their  security  budget. 

“The  value  of  threat  modeling  to  both  the 
CISO  and  the  organization  is  primarily  the  abil¬ 
ity  to  more  effectively  and  efficiently  manage 
risks,”  he  says. 

“Most  security  programs  today  at  least 
try  to  be  risk-based.  And  simply  put,  a  risk  is 
a  threat  that  is  external,  internal  or  environ¬ 
mental,  plus  the  vulnerability.  Threat  model¬ 
ing  is  important  to  determine  those  threats 
that  could  target  you,  and  how  well  prepared 
you  are  against  those  specific  threats.  Oth¬ 
erwise  you  end  up  trying  to  protect  yourself 
against  everything,”  he  says. 

Cowperthwaite  recalls  when  the  news  of 
state-sponsored  attackers  first  surfaced.  At 
the  time,  the  attackers  were  primarily  target¬ 
ing  technology  companies. 

“Everyone  was  running  around  thinking  the 
sky  was  falling  because  they  were  reacting 
emotionally,”  he  explains. 

“They  weren't  considering  the  likelihood 
that  these  specific  attackers  would  target 
their  organization.  What  they  weren’t  looking 
at  was  a  proper  threat  model  about  who  the 
attackers  were  actually  targeting,  what  they 
wanted,  and  their  capabilities,”  he  says. 

“In  my  threat  model,  I  didn’t  determine 
those  attackers  to  be  a  risk  to  us  because  of 
the  model  of  their  threat  and  behavior.  We 
were  a  not-for-profit,  and  it  didn't  appear 


that  we  had  anything  that  would  be  of  value 
to  them  and  we  concluded  they  were  not  a 
significant  risk  to  us,"  Cowperthwaite  says. 

So  what  and  who  are  necessary  to  creating 
a  threat  model?  Business  leaders,  develop¬ 
ment  and  operations  teams,  and  security 
teams  must  work  together  to  rank  the  busi¬ 
ness  criticality  of  data,  applications  and 
infrastructure.  Security  teams  can  also  find 
vulnerabilities  in  applications  and  systems 
and  identify  the  threat  actors  that  would 
want  to  target  them. 

It’s  important  not  to  get  caught  up  in 
thinking  that  every  threat  is  a  potentially  sig¬ 
nificant  risk  to  your  organization. 

“It’s  not  about  defending  against  all  pos¬ 
sible  threats,”  says  Nather,  “but  those  that  are 
most  probable.” 

How  would  those  actors  target  your  orga¬ 
nization?  Whether  the  potential  attackers  are 
cybergangs  looking  for  financial  information, 
hacktivists  seeking  to  deface  your  website,  or 
nation  states  looking  for  trade  secrets,  figure 
out  the  most  likely  method  they’d  use  to 
achieve  their  aims.  Based  on  your  vulnerability 
and  risk  assessment,  how  likely  would  they  be 
to  succeed?  Close  the  biggest,  most  impor¬ 
tant,  most  likely  to  be  attacked  gaps  first. 

The  result  of  this  exercise  should  be  in¬ 
creased  security  and  lower  costs  because 
the  threats  that  are  unlikely  or  don’t  target 
your  organization  won’t  be  focused  on.  It  also 
eliminates  a  lot  of  the  emotional  guesswork, 
Cowperthwaite  says. 

Stefan  Frei,  research  vice  president  at  se¬ 
curity  research  firm  NSS  Labs,  says  it’s  also 
crucial  to  carefully  vet  the  real-world  abili¬ 
ties  of  the  technical  controls  you  depend  on. 
Oftentimes,  defenses  aren’t  running  at  full 
effectiveness,  they're  not  maintained  prop¬ 
erly  or  they’re  just  not  as  good  as  you  think. 

It's  not  uncommon  for  multiple  instances  of 
anti-malware,  intrusion-prevention  systems 
and  other  defenses  to  miss  the  same  version 
of  advanced  malware,  Frei  says.  “That’s  just 
another  reason  why  it’s  so  important  to  threat 
model  often.” 

-George  V.  Hulme  is  a  freelance  security 
and  technology  writer  based  in  Minnesota. 

Follow  him  on  Twitter:  @georgevhulme. 


March  2014  iviviv.csoonHne.com  17 


Risk 


CSOs  Feel  the  Pressure  Mount  Every  Year 


ACCORDING  TO  A  RECENT  STUDY,  SECURITY-RELATED 
pressures  in  IT  have  climbed  steadily  year-over-year  as  security  pro¬ 
fessionals  face  the  constant  strain  that  comes  with  defending  their 
organization’s  network  and  data  from  an  assortment  of  threats  coming 
from  all  sides. 

The  data  comes  from  Trustwave’s  2014  Security  Pressures  report.  In 
an  attempt  to  understand  the  variety  of  pressures  that  those  working 
in  infosec  face,  Trustwave  spoke  to  833  security  decision  makers  about 
the  topic,  including  CIOs,  CISOs,  and  IT  directors  and  managers  in  the 
U.S.,  the  U.K.,  Canada,  and  Germany. 

Depending  on  where  the  respondent  lived,  the  level  of  pressure  ex¬ 
perienced  varied.  In  the  U.S.,  65  percent  of  the  respondents  said  they 
expect  to  feel  more  strain  this  year,  compared  to  the  43  percent  in  Ger¬ 
many  who  expected  to  feel  an  increase  in  stress. 

Yet  when  the  data  from  2013  is  included,  professionals  in  both  loca¬ 
tions  reported  a  year-over-year  increase  in  perceived  pressures,  and  Ger¬ 
many  had  the  largest  gain,  jumping  from  10  percentage  points  since  last 
year.  In  comparison,  the  U.S.  had  a  three  percentage  point  increase,  the 
U.K.  had  a  four  point  increase,  and  Canada  saw  a  seven  point  bump. 

“When  we  speak  to  CIOs,  CISOs,  IT  managers  and  directors,  we  al¬ 
most  always  hear  that  their  board  of  directors  has  asked  them  what 
they  are  doing  to  protect  the  company’s  valuable  information.  When 
the  board  asks  questions,  there  is  more  pressure.  However,  security  has 
been  a  board-level  issue  for  some  time,”  says  Leo  Cole,  Trustwave’s 
general  manager  of  security  solutions.  “The  board  is  taking  the  ques¬ 


tions  to  a  whole  new  level  and  creating  a  more  sophisticated  conver¬ 
sation  surrounding  security.  As  a  result,  the  in-house  CIO  feels  more 
pressure  because  not  only  does  he  have  to  say,  ‘I  bought  this  secu¬ 
rity  technology,’  but  also,  ‘I  bought  this  security  technology  and  it  will 
work,”’  Cole  says. 

Chris  Pogue,  director  of  incident  response  and  forensics  for  Trust- 
wave,  thinks  the  pressures  were  caused  by  a  mix  of  things,  including 
news  coverage,  the  growing  scale  of  breaches,  and  a  seemingly  endless 
wave  of  attacks  from  all  sides. 

“Security  is  like  car  insurance.  People  buy  it  hoping  they  will  never 
have  to  use  it,”  he  says.  “What  do  they  get  in  return  for  their  money? 
Help  with  protecting  their  valuable  data  from  getting  into  the  wrong 
hands.  In  light  of  the  recent  media  coverage  of  data  breaches,  the 
what-if  scenario  is  getting  more  attention.  Now,  it’s  no  longer  'What 
if  I  get  hacked?’  it’s  ‘What  if  I’m  next?’  It’s  now  more  real.  The  threat 
hasn’t  changed.  The  attackers  haven’t  changed.  What  has  changed  is 
the  public  perception  and  the  subsequent  fear  brought  on  by  possibly 
being  the  next  big  breach.” 

When  asked  which  types  of  threats  and  risks  generate  the  most 
pressure,  the  respondents  in  the  U.S.  (68  percent)  and  Canada  (63  per¬ 
cent)  said  targeted  malware,  while  the  U.K.  (64  percent)  and  Germany 
(60  percent)  singled  out  phishing  and  social  engineering.  But  targeted 
malware  is  still  a  concern  for  those  two  countries-the  threat  was 
ranked  a  close  second  in  the  U.K.  and  took  third  in  Germany.  Targeted 
malware  includes  attacks  that  profile  the  victim  and  use  multiple  so- 


18  www.csoonline.com  March  2014 


cial  engineering  and  hacking  methods  to  get  access  to  data. 

By  contrast,  only  49  percent  of  respondents  in  the  U.S.  listed  viruses 
and  worms  as  one  of  the  threats  that  generate  the  most  pressure, 
along  with  36  percent  of  Canadian  respondents.  Germany  and  the  U.K. 
weren’t  very  worried  about  them  either.  Moreover,  none  of  the  respon¬ 
dents  ranked  zero-day  vulnerabilities  as  a  top  concern,  despite  the  fact 
that  targeted  malware  will  often  leverage  all  three  of  these  attack  sur¬ 
faces,  as  criminals  will  do  whatever  they  can  to  assure  success. 

Remarkably,  despite  recent  big-name  breaches  dominating  head¬ 
lines  and  the  growing  attention  being  paid  to  security  incidents,  5  per¬ 
cent  of  the  respondents  still  felt  their  organization  was  completely  safe 
from  security  incidents  and  had  no  concerns. 

“Oftentimes,  we  speak  to  business  leaders  who  simply  don’t  think 
they  are  a  target.  They  don’t  realize  the  wealth  of  information  they 
have  and  how  valuable  that  information  is  to  a  criminal,”  Cole  says  of 
the  5  percent  who  feel  invulnerable. 

“Or,  quite  simply,  they  think  they  have  nothing  worth  taking,  which 
most  likely  isn’t  true.  However,  even  if  that  is  the  case,  where  the  at¬ 
tackers  target  a  business  that  may  not  have  data  they  can  profit  from, 
they  can  still  use  that  business  as  a  pivot  point 
into  other  organizations,”  Pogue  says. 

Customer  data  theft  is  the  number-one  prob¬ 
lem  respondents  worry  about  in  the  wake  of  a 
breach,  with  58  percent  picking  this  concern  over 
intellectual  property  theft,  reputation  dam¬ 
age,  or  fines  and  legal  action.  It’s  possible  that 
this  fear  beats  out  legal  repercussions  because 
customer  data  loss  means  perpetual  damage  to 
the  business  and  its  customers,  whereas  a  fine  is 
often  a  one-off  problem. 

“It’s  all  risk  assessment.  How  much  protection 
is  enough?  One  breach  could  lead  to  losing  the 
integrity  of  your  business,  whether  it's  losing  cus¬ 
tomers,  intellectual  property,  customers'  trust  or 
a  financial  loss,”  Cole  says.  “Small  and  midsize  businesses  would  suffer 
the  most  from  this  loss.  They  cannot  afford  to  lose  customers  and  still 
stay  in  business." 

Respondents  also  worry  about  how  much  is  enough  when  it  comes 
to  weighing  features  against  resources.  A  majority  of  respondents  said 
they  feel  pressure  to  select  the  latest  security  technologies,  but  at  the 
same  time,  they  lack  the  resources  they  need  to  use  them. 

And  despite  the  popularity  and  rapid  adoption  of  cloud-based 
technologies  and  mobile  applications,  the  survey  found  that  these 
were  the  top  two  emerging  technologies  that  security  decision  makers 
worry  aren’t  safe. 

The  report  also  covered  internal  stresses.  For  example,  staffing  was 
a  common  pain  point,  with  nearly  half  of  respondents  reporting  that 
if  they  had  twice  their  current  staffing,  they’d  be  able  to  lower  their 
stress  levels  and  improve  job  effectiveness. 

Survey  takers  were  also  asked  if  they  were  being  pressured  to  roll 


out  IT  projects  despite  security  concerns,  and  79  percent  said  that  they 
have  had  to  do  so  at  least  once  or  twice. 

“Its  logical  business,”  Cole  says.  "Business  leaders  have  to  find  new 
ways  to  market  their  products  and  those  are  at  the  forefront  of  their 
business  decisions,  not  security.  We  often  see  companies  launch  web¬ 
sites  that  are  not  secure  because  they  are  solely  focusing  on  selling 
their  products.” 

"Security  still  too  often  plays  second  fiddle  to  meeting  a  deadline,” 
Pogue  says.  “We  used  to  have  a  saying  in  the  Army:  You  can  have  it  fast, 
or  you  can  have  it  right:  you  can’t  have  both.  Fast  seems  to  be  the  soup 
du  jour.” 

In  response  to  the  project  rollout  stat,  Kim  Jones,  the  CSO  for  the 
payment-processing  firm  Vantiv,  says  that  security  risk  should  not  stop 
or  slow  projects  all  the  time,  and  in  fact  there  are  times  when  the  ben¬ 
efits  outweigh  the  risk.  However,  he  also  suspects  that  security  should 
win  those  battles  more  often  than  it  does. 

“My  input  to  a  project  is  one  of  many  drivers  for  a  project’s  success  or 
failure.  It  is  my  responsibility  to  ensure  that  I  (a)  am  properly  injected 
into  the  project  process  at  proper  points  in  the  process:  (b)  properly 
identify-and,  where  possible,  quantify-the 
risks;  (c)  raise  the  risks  to  the  appropriate  levels 
within  the  organization;  and  (d)  where  risk  isn’t 
mitigated,  ensure  that  the  risks  are  properly 
and  formally  accepted  at  the  appropriate  levels 
within  the  organization,”  Jones  said  in  an  email. 

In  addition,  Jones  said  it’s  likely  that  many 
security  organizations  are  not  looped  into  the 
IT  project  cycle  at  appropriate  points,  or  do  not 
have  the  type  of  risk  identification  and  accep¬ 
tance  process  that  he  describes. 

In  those  organizations,  security  tends  to  be  in 
catch-up  mode.  Often  the  team  is  brought  in  at 
the  eleventh  hour  to  rubber-stamp  the  project, 
and  if  they  find  something  wrong,  the  remedia¬ 
tion  time  frame  would  force  the  project  to  blow  its  deadline.  Or  worse, 
Jones  added,  without  a  risk-acceptance  process,  the  organization  may 
be  hard-pressed  to  find  someone  willing  to  sign  off  on  the  risk. 

“The  pressure  becomes  that  of  delivering  the  project  rapidly,  on 
time,  and  not  slowing  down  the  effort  to  inject  the  security  after¬ 
thought.  Combine  that  with  an  inadequate  risk-acceptance  process 
and  you  begin  to  see  why  many  of  my  brethren  either  change  jobs  rap¬ 
idly  or  choose  to  leave  the  profession,”  Jones  wrote. 

So  what  can  be  done  to  help?  What  would  lower  the  perceived  pres¬ 
sures  and  ease  the  stress  of  those  who  took  part  in  Trustwave’s  study? 

Asked  to  provide  a  wish  list  for  2014,  the  respondents  said  that  big¬ 
ger  budgets,  more  IT  security  skills  and  more  time  to  focus  on  security 
would  be  their  top  three  requests.  After  that,  they  listed  less  complex¬ 
ity  in  technology,  fewer  requests  from  business  line  managers  and  ad¬ 
ditional  staffing. 

- Steve  Ragan 


79% 

Percentage  of 
respondents  said  that 
they’ve  had  to  launch 
an  IT  project  despite 
security  concerns 


March  2014  www.csoonline.com  19 


The  7  Best  Habits  of 
Effective  Security  Pros 

It’s  easy  for  security  professionals  who  are  passionate  about  their  careers  to  get  caught  up  in  the 
technology,  but  success  today  requires  a  lot  more  than  technical  savvy  by  george  v.  hulme 


TODAY’S  INFORMATION  SECURITY 
professionals  need  to  learn  more  quickly, 
communicate  more  effectively,  know  more 
about  the  business  and  match  the  capabili¬ 
ties  of  an  ever-improving  set  of  adversaries. 
But  it  wasn't  too  long  ago  that  executives 
could  survive  in  the  field  with  little  more  than 
a  dose  of  strong  technical  acumen  and  a  shot 


of  creativity,  which  was  all  it  took  to  protect 
the  network,  solve  most  problems  and  fend 
off  attacks. 

Not  so  today.  The  role  of  the  security  pro¬ 
fessional  has  evolved  beyond  that  of  merely  a 
technically  savvy  executive,  and  now  requires 
practitioners  to  also  play  consultant,  educa¬ 
tor,  investigator  and  defender  of  the  data. 


To  understand  which  traits  and  habits  mat¬ 
ter  most,  we  reached  out  to  a  number  of  se¬ 
curity  professionals  who  are  successful  in  their 
respective  areas  in  the  field. 

If  there’s  one  thing  that  jumped  out  from 
the  interviews  it  was  this:  Security  knowledge 
is  only  the  beginning  of  the  skills  and  habits 
one  needs  to  succeed. 


20  www.csoonline.com  March  2014 


Thinkstock 


Effective  Habit 

Communication.  As  Branden  Wil¬ 
liams,  executive  vice  president  of  strategy 
at  Sysnet  Global  Solutions,  says,  it’s  the 
ability  to  translate  “I33tsp34k  to  a  P&L.”  In¬ 
terpersonal  communication  skills  are  critical 
for  security  and  forensics  professionals  for 
a  variety  of  reasons,  the  most  powerful  one 
being  self-interest. 

“Good  communicators  earn  more  promo¬ 
tions  and  more  jobs  than  do  bad  communica¬ 
tors.  You  could  be  the  best  technician  in  the 
world,  but  if  you  can’t  hold  up  your  end  of  a 
conversation  about  what  you’re  doing  with 
business  people,  you're  not  going  to  be  asked 
back  to  the  table,”  says  Brian  Martin,  founder 
of  Digital  Trust. 

Communication  is  a  challenge  for  many  fla¬ 
vors  of  IT  professionals-not  just  security  pros. 
“My  assumption  has  always  been  it's  because 
we  spent  our  school  years  learning  things  and 
not  worrying  about  other  people.  There’s  also 
a  tendency  for  people  with  communication  is¬ 
sues  to  focus  on  technical  challenges  as  a  way 
to  compensate.  Whether  it’s  language,  arts 
or  science,  the  people  who  are  very  good  at  it 
have,  in  a  lot  of  cases,  neglected  their  inter¬ 
personal  skills,”  says  Martin. 

Effective  Habit 

Business  acumen.  Increas¬ 
ingly,  knowing  the  business  and  how 
to  handle  political  challenges  is  just  as 
important  as  technical  acumen.  For  CSOs,  it 
is  arguably  more  important  in  terms  of  being 
able  to  persuade  business  leaders  to  give  you 
the  resources  you  need  to  succeed,  and  to 
compromise  with  business  leadership  and  the 
organization  when  necessary. 

"In  order  to  be  an  effective  CISO,  you  must 
first  understand  how  your  organization  makes 
money  and  know  the  real  world  threats 
that  influence  sustained  success.  There  are 
no  magic  bullets  and  no  checklists  you  can 
implement  to  reduce  your  unique  risk  profile,” 
says  Boris  Sverdlik,  manager  of  product  and 
platform  security  at  Tagged. 

One  factor  that  is  necessary  for  long-term 
success  is  compromise,  which,  essentially, 
means  being  able  to  help  the  enterprise  meet 


its  goals  while  keeping  risks  within  accept¬ 
able  tolerance  levels.  “Part  of  why  I  think 
compromise  is  such  an  important  skill  for  a 
CISO  or  security  professional  is  that  many  of 
us  are  trained  to  say  ’no’  on  new  initiatives 
without  trying  to  make  a  pathway  to  get  to 
‘yes,’"  says  Williams. 

Williams  recalled  a  recent  conversation 
with  a  CISO  at  a  large  company  in  which  he 
proclaimed  he  had  “unequivocally”  banned 
user-owned  devices  from  his  organization. 
What  the  CISO  didn’t  appear  to  understand 
was  that  they  were  coming  in  anyway,  ex¬ 
plains  Williams,  behind  the  backs  of  the  CIO 
and  the  IT  department. 

“People  found  ways  to  bring  certain  work 
items  to  their  personal  devices  through  cloud 
sharing  applications  such  as  Dropbox  and 
Evernote.  The  business  he  supported  clearly 
had  a  need  for  some  of  these  services,  but  his 
stubbornness  ultimately  led  his  users  to  work 
around  him,”  he  says. 

Effective  Habit 

Creativity.  It’s  no  secret  that  the 
adversary  is  quite  creative,  and  to  match 
wits  with  these  intelligent,  dynamic, 
inventive  and  motivated  attackers,  security 
pros  must  cultivate  those  same  qualities  in 
themselves. 

In  addition  to  being  useful  for  defense, 
creativity  is  also  essential  for  offense,  where  it 


helps  solve  technical  problems.  For  example, 
Williams  relates  the  story  of  a  time  when  a 
client  was  exploring  a  mobile  point-of-sale 
system  to  be  used  for  sales  from  outside  their 
primary  place  of  business.  “The  CISO  never 
outright  said  ‘no,’  but  instead  worked  through 
the  requirements  of  the  business,  found  ac¬ 
ceptable  solutions  that  met  the  company’s 
security  goals,  passed  on  some  of  the  cost  of 
this  to  the  business  owner,  and  was  able  to 
get  a  solution  working,”  says  Williams. 

This  is  one  example  of  how  creative  secu¬ 
rity  professionals  can  improve  their  relation¬ 
ships  with  other  business  stakeholders  and 
lower  risk  more  effectively. 

Effective  Habit 

Problem  solving.  According  to 
Digital  Trust’s  Martin,  root  cause  analy¬ 
sis  and  troubleshooting  skills  are  essen¬ 
tial  to  being  a  good  security  pro  because  it’s 
impossible  to  train  for  the  unknown,  and  there 
will  be  plenty  of  unknowns  to  analyze  in  the 
typical  security  career. 

“Nobody  can  know  everything  about  ev¬ 
erything,  and  there  is  always  something  new, 
different  or  strange  that  comes  along,"  he 
says.  This  is  why  for  his  practice,  Martin  seeks 
candidates  who,  in  addition  to  being  security- 
savvy,  have  strong  problem-solving  skills. 

"They  won’t  know  how  to  solve  a  new 
problem  immediately,  but  they’ll  figure  it  out 


March  2014  www.csoonline.com  21 


■  Lead 


pretty  fast,”  he  says.  “This  is  essentially  the 
heart  of  hacking;  figuring  new  stuff  out.  With¬ 
out  the  ability  to  think  on  your  feet  and  figure 
previously  un-encountered  stuff  out,  how  will 
they  respond  to  a  mysterious  change  in  a  box 
configuration,  or  the  latest  zero-day?” 

Interestingly,  when  attempting  to  find  the 
root  cause  of  problems  and  incidents,  com¬ 
munication  and  business  acumen  skills  also 
come  into  play  and  improve  outcomes. 

“Diplomacy  also  can  be  effective  in  crisis  or 
reactionary  scenarios,”  says  K.  C.  Yerrid,  senior 
security  consultant  at  FishNet  Security. 

“Consider  the  barriers  to  determining 
root  cause  for  an  incident.  By  utilizing 
diplomacy,  personal  motivations  [that 
may  lead  employees]  to  distort  the 
truth  and  protect  job  security  or  ego 
may  be  reduced,  resulting  in  a  more  ef¬ 
ficient  resolution  and  shifting  the  goal 
of  the  root  cause  from  a  personal  witch 
hunt  to  a  bona  fide  process-improve¬ 
ment  mechanism,”  says  Yerrid. 

Effective  Habit 

Curiosity.  Another  critical 
trait  mentioned  by  those  we 
queried  is  the  constant  desire  to 
learn  new  things.  Kelly  Lum,  technical 
information  security  officer  at  Citi,  says 
it’s  about  keeping  on  top  of  news  and 
changing  developments  in  their  field, 
whether  it  be  policy  developments, 
new  exploitation  techniques  and  bug  classes, 
emerging  tech,  or  other  trends. 

The  need  for  security  pros  to  feel  driven  to 
pursue  lifelong  learning  is  clear  on  the  sur¬ 
face.  In  the  past  five  years  alone,  technology 
has  changed  tremendously,  and  so  has  the 
industry’s  general  understanding  of  the  ad¬ 
versaries  it  faces.  To  keep  abreast  of  the  lat¬ 
est  technologies,  exploits  and  attack  trends, 
it’s  important  to  hit  the  books,  blogs,  social 
media  and  news  sites  daily,  and  to  obtain 
certifications  and  attend  a  conference  or  two 
every  year. 

Tagged’s  Sverdlik  says  he  is  sure  to  hit  a 
number  of  resources  every  day.  “I  personally 
read  Reddit,  a  full-disclosure  mailing  list  and 


several  others  every  day  just  to  stay  on  top  of 
trends  and  correlate  them  back  to  my  organi¬ 
zation,”  he  says. 

Effective  Habit 

Engagement  with  business 
stakeholders.  Effective  security 
pros  are  always  looking  for  ways  to 
engage  with  business  stakeholders,  whether 
that's  the  business  leadership  or  the  IT  and 
operations  teams. 

"Without  engagement  up  front,  during 


t  \ 


requirements  definition,  security  will  be  hard- 
pressed  to  be  proactive,”  says  Tadd  Axon, 

IT  architect  at  Softchoice.  “Engaging  with 
infrastructure  and  development  teams  at  the 
beginning— actually  becoming  a  stakeholder 
in  a  project,  rather  than  just  a  gatekeeper- 
and  during  the  building  and  testing  of  a  given 
system  gives  all  parties  a  better  understand¬ 
ing  of  the  business  objectives  and  technical, 
organizational  and  other  reasons  as  to  why 
[certain]  choices  are  made  to  ensure  function¬ 
ality,”  he  says. 

“This  level  of  early  and  persistent  engage¬ 
ment  enables  security  to  properly  argue 
against  certain  courses  of  action  and  to  more 
coherently  offer  alternatives,”  says  Axon. 


Effective  Habit 

Studying  offense  and  de¬ 
fense.  When  it  comes  to  information 
security,  a  good  offense  often  means  an 
effective  defense. 

“To  understand  your  risk  profile,  you  should 
begin  to  look  at  your  organization  from  an 
adversarial  perspective;  this  requires  a  thor¬ 
ough  understanding  of  offensive  [attack] 
techniques.  When  we  speak  about  offense,  we 
are  referring  to  techniques  used  by  adversar¬ 
ies  to  exploit  weaknesses  in  your  organization, 
be  it  for  financial  gain,  competitive 
advantage  or,  worse  yet,  to  tarnish 
your  reputation,”  says  Sverdlik. 

While  CISOs  aren’t  generally 
required  to  conduct  penetration 
tests  or  reverse-engineer  applica¬ 
tions,  they  do  need  to  understand 
the  basics  of  today’s  attacks. 

“Many  of  the  breaches  today 
aren’t  sophisticated-they  employ 
techniques  that  have  been  used 
time  and  time  again.  However, 
they  are  successful  because  many 
security  professionals  abide  by  a 
generic  checklist,  which  may  or 
may  not  reduce  risk,”  Sverdlik  says. 
"In  my  experience,  the  best  way  to 
understand  how  attackers  think  is 
to  use  the  wealth  of  information 
available  today.” 

While  these  seven  habits  are 
certainty  not  all  a  security  professional  needs 
to  succeed,  executives  who  have  achieved  a 
measure  of  success  believe  that  these  skills  are 
essential.  Security  talent  may  be  hard  to  come 
by,  but  there’s  no  room  for  complacency,  no 
matter  how  deep  your  technical  skills. 

“The  way  the  world  is  shrinking,  if  you  aren’t 
motivated  and  capable,  you’re  not  long  for  the 
workforce,”  says  Digital  Trust’s  Martin.  "That’s 
why  these  skills  are  so  essential,  because  only 
A-  and  B-level  players  are  going  to  make  the 
grade.  There’s  no  room  in  a  competitive  envi¬ 
ronment  for  average  or  below.” 


■  George  V.  Hulme  is  a  freelance  security 
and  technology  writer  based  in  Minnesota. 


22  www.csoonline.com  MARCH  2014 


Stay  Alert  with 

the  CSO  Daily  Dashboard 


The  world  of  security  is  never 
constant.  As  a  security  executive 
you  need  to  proactively  prepare 
for,  identify  and  respond  to 
security  incidents,  while  keeping 
a  pulse  on  emerging  situations. 
The  CSO  Daily  Dashboard 
provides  security  threat  alerts 
in  an  at-a-glance  format, 
creating  your  own  personal 
operations  center. 


Dashboard  alert 
topics  include: 

■  Security  News 

■  IT  Vulnerabilities 

■  Disaster  Declarations 

■  Weather 

■  World  Health  News 

And  More... 


To  access  the  tool  that  your  peers  already  rely  on, 
visit  the  CSO  Daily  Dashboard  at:  http://dashboard.csoonline.com 

CSO 


n  Lead 


Michael  Santarcangelo,  Security  Catalyst 


BLOG  POST 


Where’s  the  Harm?  The  Real  Conversation  We 
Need  to  Have  About  Target  and  Other  Breaches 


AGAINST  THE  BACKDROP 
of  speculations,  proclamations 
and  proffered  solutions,  it’s  time 
to  step  back,  take  a  deep  breath, 
and  engage  in  a  constructive 
conversation. 

Part  of  my  motivation  for 
writing  my  book,  Into  the  Breach, 
was  to  highlight  and  tell  the  story 
of  the  human  side  of  breaches. 

By  considering  people  in  the  con¬ 
text  of  organizations,  it  gives  us 
the  opportunity  to  reframe  our 
thinking  about  breaches.  A  few 
years  later,  we  still  need  to  make 
that  shift. 

Something  that  has  shifted, 
for  me,  is  the  realization-and 
maybe  even  the  acceptance- 
that  breaches  are  part  of  the 
landscape  now  and  for  the  fore¬ 
seeable  future. 

Consider  the  fact  that  people 
rob  banks.  Still.  In  the  past  few 
years,  it’s  reported  that  roughly 
40  percent  of  bank  robbers  in 
the  U.S.  get  caught.  That  means 
most  get  away  with  it. 

Locally,  when  a  bank  is  robbed, 
it  makes  news.  No  one  blames 
the  bank.  Given  the  way  our 
banking  infrastructure  is  currently 
operated,  few  people  suffer  any 
actual  harm,  other  than  perhaps 
those  present  during  the  robbery. 

The  question,  then,  about 
breaches— cyber-robbery,  if  you 
will— is,  “Where  is  the  harm?” 

In  order  to  advance  real,  ef¬ 
fective  and  widely  accepted 
solutions,  we  have  to  engage  in 
constructive  conversation  about 


m 


iiiii 


the  entire  system.  We  must  visu¬ 
alize  the  system  to  translate  its 
complexity  into  understanding,  to 
engage  in  a  consistent  way. 

Understanding  the  harm,  in¬ 
cluding  financial  harm,  allows  us 
to  weigh  solutions  against  their 
ability  to  reduce  the  harm  in  a  fis¬ 
cally  and  socially  acceptable  way. 

Framing  the 
Conversation 

Over  the  past  few  weeks,  I've 
spoken  with  friends  and  col¬ 
leagues  in  the  payments  industry, 
at  financial  institutions  and  even 
outside  of  security  to  get  their 
take  on  the  recent  headline¬ 
making  breaches  and  find  out 
who,  if  anyone,  is  harmed. 

As  a  starting  point,  I  propose 
we  focus  on  and  structure  three 
areas  for  conversation: 

■  Merchants  and  banks:  the 


organization  affected  by  the 
breach,  as  well  as  the  banks 
that  incur  the  costs  of  han¬ 
dling  fraudulent  charges  and 
re-issuing  payment  cards 

■  Buyers:  the  individuals  affect¬ 
ed  by  the  breach  of  their  pay¬ 
ment  or  other  information 

■  Attackers:  those  motivated  to 
steal  the  information.  Working 
to  understand  their  motiva¬ 
tions  and  modus  operandi 
yields  insights  into  how  we 
might  reduce  the  impact  of 
future  breaches. 

Merchants  and  Banks: 
Harm  Versus  Cost 
of  Doing  Business 

Others  have  published  detailed 
analyses  of  the  impact  of  breach¬ 
es  on  organizations.  While  each 
situation  is  unique  and  some 
notable  companies  have  gone 


out  of  business  as  a  result,  the 
majority  appear  to  suffer  no  last¬ 
ing  ill-effects. 

While  breaches  are  inconve¬ 
nient  and  sometimes  embarrass¬ 
ing,  the  retailers  are  fine.  The  hit 
they  take  seems  to  be  minimal, 
and  is  often  considered  a  cost 
of  doing  business.  The  payment 
card  brands  are  fine. 

Even  the  banks  are  fine.  I’m  old 
enough  to  remember  getting  a 
toaster  or  other  gift  when  open¬ 
ing  an  account.  Banks  and  finan¬ 
cial  institutions  know  the  value  of 
a  customer.  Now  instead  of  toast¬ 
ers,  we  get  new  conveniences. 

Besides,  financial  institutions 
keep  getting  better  at  detecting 
and  handling  fraud-to  the  point 
where  their  safety  measures 
can  be  an  annoyance-and  they 
consider  the  occasional  need  to 
reissue  payment  cards  a  cost  of 
doing  business. 

While  it’s  possible  to  claim 
that  merchants  and  banks  suffer 
harm,  it's  worth  having  a  discus¬ 
sion  about  how  much  of  it  is  re¬ 
ally  harm  and  how  much  is  just 
the  cost  of  doing  business.  Better 
would  be  having  a  discussion 
about  ways  to  reduce  the  cost  of 
doing  business  the  solutions  be¬ 
coming  more  expensive  than  the 
savings  they  generate. 

Buyers:  Harm  Versus 
Cost  of  Convenience 

When  we  suggest  a  breach  is 
a  cost  of  doing  business,  the 
conventional  thinking  is  that  ul- 


24  www.csoonline.com  March  2014 


Reuters/Rick  Wilking 


SOCIAL  SECURITY 


timately,  those  costs  get  passed  on  to 
the  consumers.  Setting  aside  whether 
this  is  a  certainty  or  not,  if  it’s  true, 
what’s  the  problem? 

Payment  cards  are  a  convenience. 

They  are  better  for  banks,  and 
touted  as  better  for  consumers.  Plenty 
of  people  rely  on  cash,  checks,  and  even 
barter.  And  some  use  alternate  forms  of 
payment,  like  PayPal,  or  embrace  new 
currencies,  like  Bitcoin. 

Using  a  payment  card  is  a  decision. 
It’s  a  choice. 

Choosing  convenience  carries  ac¬ 
ceptance  of  the  (potential)  impacts.  If 
using  a  payment  card  means  the  costs 
may  be  higher,  that’s  a  choice  we  make. 

In  the  U.S.,  liability  for  fraud  on  credit 
cards  is  capped  at  zero,  and  debit  cards 
have  a  maximum  of  $50  (and  I  haven't 
seen  that  actually  enforced).  However, 
lack  of  liability  doesn’t  absolve  con¬ 
sumers  of  choice  or  responsibility. 

The  more  complicated  question  is 
whether  we  are  willing  to  tacitly  accept 
these  higher  costs  due  to  the  seemingly 
endless  parade  of  breaches  that  leak 
payment,  identity,  medical  and  other 
personal  information. 

So  far,  by  continuing  to  use  payment 
cards-and  continuing  to  shop  at  the 
affected  retailers-the  market  is  an¬ 
swering,  collectively,  that  it’s  OK. 

Is  it  OK? 

If  not,  then  that’s  the  area  we  should 
focus  on.  This  is  where  we  need  to  en¬ 
gage  in  thoughtful,  structured,  and  con¬ 
structive  conversations  about  actions 
and  impacts.  Avoid  speculation. 

Ultimately,  if  the  costs  of  these 
conveniences  are  unacceptable-espe- 
cially  if  the  costs  could  be  reasonably 
prevented  at  a  cost  lower  than  the  in- 
convenience-the  marketplace  needs  to 
encourage  action.  People  can  vote  with 
their  feet.  Avoid  retailers  with  bad  re¬ 
cords.  Stop  using  banks  and  credit  cards 
with  high  fees. 

We  have  options.  Let’s  discuss  them. 


I 

Attackers:  Targets  of  ! 

Value,  Convenience  ! 

It's  fair  to  say  I  focus  on  friction.  Not  just  i 
in  communication  (where  we  need  to  i 
take  friction  out),  but  also  in  security.  i 
It's  a  powerful-and  easily  understand-  i 
able-construct  where  we  focus  on  de-  i 
creasing  friction  for  preferred  pathways  i 
and  increasing  friction  for  attackers  and  i 

risky  things.  i 

By  understanding  the  motivation  of  i 

attackers  and  explaining  how  attacks  i 

affect  individuals,  people  get  a  clearer  ■ 

picture  and  better  understanding  of  i 

why  the  places  they  shop  and  bank  at  i 
are  such  popular  targets.  i 

The  key  discussion  we  need  to  have  i 
is  one  exploring  ways  that  we  can  all  i 
contribute  to  better  protection  with  ■ 

lower  friction  for  ourselves,  while  in-  i 

creasing  the  friction  for  attackers.  i 

Better  protection  likely  requires  more  i 
emphasis  on  quicker  detection,  recovery  i 
and  efforts  to  build  more  resilience  in  i 
the  people  who  are  part  of  the  system.  i 
It  also  means  accepting  more  personal  i 
responsibility.  i 

Or  not.  Let’s  discuss.  i 

Getting  Started  in  a 
Constructive  Way  ! 

This  is  an  invitation  to  collaborate.  It’s  i 

not  so  much  a  debate  as  it  is  a  call  to  i 
stop  complaining  and  declaring  you’ve  ■ 

found  a  solution  without  first  visual-  i 
izing  the  system  and  considering  the  i 
trade-offs  and  alternatives.  i 

Encouraging  broad  action  requires  a  i 

different  approach  than  the  one  we’re  i 

currently  taking.  We  have  to  bring  visibil-  i 
ity  to  the  elements,  take  the  friction  out  i 

of  the  communication  we  employ,  and  i 

learn  how  to  translate  the  complexity  ■ 

into  something  we  can  understand.  i 

We  need  to  translate  the  value  of  i 

security.  ■ 

-Michael  Santarcangelo  is  a  miter  i 

and  speaker  specializing  in  security  and  i 

communication.  \ 


INDUSTRY  CHATTER  ON  TWITTER 

Proactive  proper 
security  hygiene  is 
really  the  bottom  line. 
Prevention  is  better 
than  repair/recovery. 

-Jack  Gold  @jckgld 

“Passwords  are  case- 
sensitive,  8-255 
characters  long,  at 
least  one  letter,  and 
at  least  one  number 
(0-9).  You  may  use 
symbols  and  spaces.” 

-Andrew  Hay  @andrewsmhay 

Open  scope  pen/ 
redteam  that  allows 
social  engineering 
wakes  me  up  better 
than  coffee.  Testing 
like  reality  is  the 
best.  Let’s  dance! 

-Themson  Mester 

@ThemsonMester 

I  learned  everything  I 
know  about  Canadian 
physical  security  and 
social  engineering  from 
the  movie  Strange  Brew. 

-Info  Security  Jerk  @infosecjerk 


March  2014  www.csoonline.com  25 


Cover  story 


Investing  in  new  tools  and  solutions  and  making  sure  they’re 
doing  their  job  may  be  top-of-mind  in  your  security  department, 
but  older,  less-used  systems  could  be  quietly  costing  you 
money  and  putting  you  at  risk  BY  MARIA  KOROLOV 


These  days,  there’s  no 

shortage  of  new  business  technolo¬ 
gies  and  new  threat  vectors  to  the  en¬ 
terprise.  But  what  many  companies 
forget  is  that  old  technologies  pose  risks  as  well, 
and  those  risks  aren’t  going  away.  In  fact,  as  your 
legacy  systems  continue  to  get  more  out-of-date 
while  the  world  around  them  continues  to  evolve, 
the  risks  may  be  increasing. 

A  few  of  the  things  that  make  legacy  systems 
risky  include  unpatched  software,  hard-coded 
passwords,  and  a  failure  to  draw  any  budget 
money  for  repairs. 


Patch  Me,  Please! 

There  are  many  reasons  that  a  company  might 
not  apply  all  the  patches  and  other  recommended 
fixes  for  a  legacy  system.  Some  software  is  too 
business-critical  to  mess  with,  and  if  a  patch  has 
the  potential  to  break  things,  it  might  get  post¬ 
poned  until  it’s  tested  firsthand  that  testing  never 
happens. 

For  example,  a  company  may  have  customized 
its  legacy  software  to  a  large  degree,  and  upgrad¬ 
ing  to  the  next  version  might  require  all  the  cus¬ 
tomization  work  to  be  re-done. 

With  each  missed  patch  or  missed  software 
upgrade  cycle,  it  becomes  that  much  harder  and 


26  www.csoonline.com  MARCH  2014 


Illustrations  by  Gary  Neill 


®§ 

Ov 

^  '  w* 

'/>■*  “ 

Cover  story 


more  expensive  to  roll  out  the  next  one,  until  the 
system  is  so  deep  in  technical  debt  that  there’s  no 
way  to  dig  it  out  without  starting  over  from  scratch. 

Then  there’s  software  for  which  patches  or  up¬ 
grades  just  aren’t  available,  for  example  because 
the  vendor  went  out  of  business  or  discontinued 
that  particular  product. 

According  to  the  latest  Secunia  report,  3.9  per¬ 
cent  of  all  software  on  the  average  PC  in  the  U.S.  is 
no  longer  patched  by  the  vendor.  The  most  com¬ 
mon  programs  to  outlive  their  support  systems? 
Old  browsers  and  old  versions  of  Java. 

“It’s  probably  even  worse  on  the  business  side,” 
says  Stefan  Frei,  research  vice  president  with  NSS 
Labs,  a  security  research  firm.  “The  end  user  can 
just  run  auto  update.  But  the  corporation  has  poli¬ 
cies  and  testing  in  place  to  delay  the  patching.  And 
with  some  systems,  there  are  legal  barriers,  where 
you’re  not  allowed  to  touch  the  system  without  los¬ 
ing  your  warranty  of  certification.  You  are  in  a  very 
bad  situation— you  are  doomed  if  you  don’t  update, 
and  you  are  doomed  if  you  do.” 

Or  if  the  software  was  written  in-house,  the  origi¬ 
nal  developers  may  have  long  since  moved  on  and 
there’s  no  longer  anyone  around  to  do  the  work. 

“As  the  baby  boomer  generation  ages  and  retires, 
many  customers  are  losing  knowledge  of  the  un¬ 
derlying  algorithms  in  those  applications,”  says 
Jim  Thompson,  the  CTO  of  the  technology  de¬ 
partment  in  Unisys’  Technology,  Consulting  and 
Integration  Solutions  organization. 

Some  software  can’t  be  patched  at  all,  including 
that  found  in  printers,  scanners  and  thermostats. 

The  biggest  single  legacy  system  that’s  about  to 
cause  a  lot  of  people  a  lot  of  problems?  Windows 
XP,  which  Microsoft  will  no  longer  support  start¬ 
ing  this  April. 

Ken  Pfeil,  global  security  officer  at  Pioneer  In¬ 
vestments,  calls  it  “the  coming  X-pocalypse.” 


“There  are  a  number  of  people  sitting  on  zero- 
day  exploits  just  chomping  at  the  bit,”  he  predicts. 
“The  Black  Hole  exploit  kit,  which  was  very  preva¬ 
lent,  hasn’t  been  replaced  yet,  but  I  expect  that  by 
the  end  of  April,  beginning  of  May,  you’re  going  to 
see  XP  systems  get  compromised  at  a  point-and- 
click  rate.” 

Pfeil  says  he  expects  his  own  company  to  be  com¬ 
pletely  off  of  Windows  XP  by  April.  But  he  added 
that  not  every  company  can  switch  over.  Windows 
7,  for  example,  has  specific  hardware  requirements. 
“And  a  lot  of  the  very  large  organizations  can’t  re¬ 
fresh  30,000  desktops  within  the  next  sixmonths.” 

The  Login  Is  ‘Admin,’  the 
Password  Is  ‘Password’ 

There  used  to  be  a  day,  back  before  SQL  injections 
and  buffer  overflows,  back  before  the  Internet, 
back  before  you  could  sell  Social  Security  num¬ 
bers  online  in  bulk,  back  before  user  interface  de¬ 
sign,  when  writing  software  was  a  much  simpler 
matter  of  just  coding  the  required  functionality  as 
efficiently  as  possible. 

That  day  is  now  long  gone,  but  the  software  writ¬ 
ten  back  then  is  still  around,  still  running  critical 
infrastructure  in  the  financial,  medical  and  energy 
industries. 

Take,  for  example,  the  issue  of  default  and  hard¬ 
coded  passwords.  This  isn’t  a  new  problem,  but  it  is 
significant  enough  that  the  U.S.  Computer  Emer¬ 
gency  Readiness  Team,  part  of  the  Department  of 
Homeland  Security,  issued  an  alert  last  summer 
warning  companies  to  change  passwords. 

“Attackers  can  easily  obtain  default  passwords 
and  identify  Internet-connected  target  sys¬ 
tems,”  the  alert  said.  “Passwords  can  be  found  in 
product  documentation  and  compiled  lists 
available  on  the  Internet.  An  attacker  with  knowl¬ 
edge  of  the  password  and  network  access  to  a 


“If  you’re  running  an  older  system,  you  have 
to  do  20  percent  more  work.  That’s 
something  [where]  you  can  put  tangible  dollar 
amounts  on  what  it  means  to  your  business.” 

-MARC  MAIFFRET,  CTO  AND  HEAD  OF  ADVANCED  RESEARCH  LABS,  BEYONDTRUST 


28 


www.csoonline.com  March  2014 


system  can  log  in,  usually  with  root  or  administra¬ 
tive  privileges.” 

Legacy  applications  in  particular  often  have  sev¬ 
eral  types  of  backdoor  accounts  with  access  to  key 
databases,  says  Karen  Eldor,  director  of  product 
management  at  CyberArk  Software. 

Some  are  default  passwords  supplied  by  the  ven¬ 
dor,  while  others  are  hard-coded  into  the  software 
or  in  configuration  files. 

“These  passwords  are  typically  privileged  pass¬ 
words  because  they  need  high-level  access  to  sys¬ 
tems,”  she  says.  “And  if  they’re  hard-coded,  many 
people  don’t  even  know  they  exist ,  and  if  they’re  re¬ 
used,  nobody  knows  they’re  being  used  or  where 
they  came  from.  It  could  be  a  very  significant  prob¬ 
lem  for  an  organization.” 

This  issue  often  appears  on  company  radar 
screens  for  the  first  time  when  a  company  fails  a 
security  or  compliance  audit,  she  adds. 

But  of  course,  non-regulated  industries  are  vul¬ 
nerable  as  well. 


Where  Automation  Can  Help 

The  first  step  of  tackling  the  problem  is  to  identify 
its  scope.  CyberArk,  for  example,  can  help  com¬ 
panies  find  instances  of  hard-coded  passwords  in 
their  legacy  software. 

“We  are  very  experienced  with  this,  and  know 
where  it’s  usual  to  find  them,”  says  Eldor. 

Once  the  problems  are  identified  and  prioritized, 
then  a  company  can  decide  to  allocate  its  available 
resources  where  they  will  do  the  most  good. 

For  example,  in  the  case  of  hard-coded  pass¬ 
words,  a  company  can  decide  to  change  them 
manually  at  certain  intervals,  or  set  up  an  auto¬ 
mated  system  to  change  them  periodically,  or  use 
a  password-management  tool  to  remove  hard¬ 
coded  passwords  entirely  and  replace  them  with 
on-demand  passwords  that  change  continuously 
and  can  be  managed  centrally. 

There  are  also  ways  to  identify  legacy  systems 
hidden  inside  network  devices  like  printers  and 
scanners. 


March  2014  www.csoonline.com  29 


Cover  story 


“You  have  a  lot  of  copy  centers  that  have  old  un¬ 
supported  and  embedded  systems,”  says  Pioneer 
Investments’  Pfeil.  “The  risks  that  are  associated 
with  that  seem  to  quadruple  every  day.” 

Routers  and  switches  don’t  do  a  particularly 
good  job  identifying  what’s  connected  to  them, 
he  says,  especially  devices  that  only  connect 
intermittently. 

To  deal  with  this  issue,  Pioneer  Investments 
uses  tools  from  security  firm  ForeScout  Technolo¬ 
gies,  which  can  identify  and  manage  network  con¬ 
nections  and  even  monitor  them  for  suspicious  or 
unusual  activity. 

“When  we  first  started  out,  seeing  all  the  traffic, 
and  seeing  everything  connecting,  it  gives  you  very 
good  visibility,”  Pfeil  says. 

“Then  there  are  some  default  policies  that  are 
simple  to  enable,  such  as  the  checking  of  antivi¬ 
rus — is  it  installed,  does  it  have  current  signatures, 
if  not,  flip  it  over  to  the  VLAN  where  it  has  access 
to  the  update  server,  and  when  it’s  updated,  flip  it 
back  over  to  the  network  access. 

“Then  we’ve  gone  down  to  the  level  of  check¬ 
ing  the  actual  hardware  itself— does  it  have 
virtualization  extensions,  what  vulnerabilities  are 
inherent  in  the  system— so  we  enforce  directed 
scans  at  that  system  if  we  deem  it  to  be  a  higher 
risk,”  he  says. 

“ForeScout  provides  a  very  flexible  control  fab¬ 
ric  platform  that  interfaces  with  our  other  security 
devices,  proxies,  antivirus  devices,  and  all  that,” 
Pfeil  says. 

Budget?  What  Budget?  We 
Don’t  Have  No  Stinkin’  Budget 

Investing  in  emerging  technologies  makes  busi¬ 
ness  sense.  Cloud  computing  and  mobile  apps  save 
money,  bring  in  new  customers  and  are  easy  to 
pitch  to  executives  because  they’re  on  the  cover  of 
every  magazine. 

Throwing  money  at  old  systems — systems  that 
seem  to  be  working  just  fine— is  a  much  harder  sell. 
It’s  easy  to  postpone  these  projects,  but  with  every 
delay,  the  price  tag  just  gets  that  much  higher. 

The  key  to  making  a  business  case  for  an  up¬ 
grade  to  a  old  system  that  seems,  on  the  surface, 
to  be  working  just  fine  is  to  figure  out  a  way  to  put 
a  real  dollar  value  on  the  security  risk. 

Start  by  considering  compliance,  says  Ken 
Pickering,  director  of  engineering  at  Core  Secu¬ 
rity.  For  example,  the  Payments  Card  Industry 


requires  merchants  that  accept  bank  card  pay¬ 
ments  to  comply  with  a  set  of  security  standards. 
If  there’s  a  breach,  state  laws  may  require  customer 
notifications,  credit  card  security  monitoring,  or 
other  remediation  measures .  In  addition,  breaches 
cause  public  relations  damage  to  the  company  as 
a  result  of  losing  customers’  credit  card  or  Social 
Security  numbers. 

“Do  we  risk  violating  our  PCI  compliance?” 
Pickering  says.  “That’s  money.  If  the  records  are 
breached,  what’s  the  dollar  per  record  cost?” 

Another  way  to  determine  the  monetary  benefit 
of  replacing  an  older  system  with  a  new  one  is  to 
calculate  the  ongoing  cost  of  maintenance  of  the 
legacy  system. 

For  example,  in  2012,  the  latest  versions  of 
Microsoft  software  were  not  affected  by  20  per¬ 
cent  of  the  newly  discovered  vulnerabilities,  says 
Marc  Maiffret,  CTO  and  head  of  the  Advanced 
Research  Labs  at  BeyondTrust.  That  means  fewer 
patches  to  apply  for  companies  running  Windows 
7  or  later. 

“  So  if  you’re  running  an  older  system,  you  have  to 
do  20  percent  more  work,”  he  says.  “That’s  some¬ 
thing  [where  ]  you  can  put  tangible  dollar  amounts 
on  what  it  means  to  your  business.” 

Finally,  don’t  forget  the  higher  costs  of  insuring 
older  systems  against  breaches. 

“Bring  in  your  insurance  agent,”  recommends 
David  Sun,  CEO  of  SunBlock  Systems.  “If  your 
insurance  premium  will  change,  that’s  a  fairly  im¬ 
mediate  quantifiable  dollar  amount.” 

It  might  help  to  bring  in  legal  help  to  make  the 
case  to  management,  says  Ron  Gula,  CEO  and 
CTO  at  Tenable  Network  Security.  Gula  serves  on 
the  advisory  board  for  the  University  of  Maryland 
Cybersecurity  Center  and  has  conducted  penetra¬ 
tion  tests  of  government  networks  for  the  National 
Security  Agency.  Tenable  offers  real-time  security 
monitoring,  vulnerability  scanning,  network  scan¬ 
ning  and  log  analysis  and  counts  the  Department 
of  Defense  among  its  24,000  customers. 

“We  are  really,  really  bad  at  articulating  risk,”  he 
says,  referring  to  technology  professionals.  “So 
go  call  your  lawyers.  Your  lawyers  are  going  to  be 
aware  of  your  corporate  responsibilities  to  share¬ 
holders  and  customers,  of  your  regulatory  require¬ 
ments.  If  you  have  a  risk  that’s  going  to  make  it 
difficult  to  pass  a  PCI  audit,  get  the  lawyers  on 
your  side.” 

If  hard  numbers  and  explanations  of  legal  risks 


30  www.csoonline.com  March  2014 


“IT  has  always  borne  the  brunt  of  maintaining  [legacy 
systems].  Nowadays,  IT  might  be  going  back  to  the 
business  units  and  saying,  ‘This  is  your  cost,  and 
we’re  going  to  charge  any  fees 
associated  with  maintaining  such  an  outdated 
program.’” 

-SARAH  ISAACS,  CEO,  CONVENTUS 


don’t  do  the  trick,  consider  peer  pressure. 

“Even  organizations  that  compete  with  each 
other  do  share  risk  information  and  best  practic¬ 
es,”  says  Gula.  It  may  take  some  research  to  figure 
out  what  competitors  are  doing,  but  the  informa¬ 
tion  may  be  available  through  trade  shows  and 
conferences. 

“If  you  can  benchmark  yourself  against  your 
industry,  your  vertical,  that  is  something  you  can 
bring  to  your  local  executives,”  he  says. 

Another  approach  to  addressing  the  budget 
problem  is  to  try  to  move  the  cost  of  supporting 
legacy  systems  to  the  business  units  that  actually 
use  them. 

“Historically,  IT  has  always  borne  the  brunt  of 
maintaining  them,”  says  Sarah  Isaacs,  CEO  of 
Conventus,  a  security  consultancy.  “Nowadays, 
IT  might  be  going  back  to  the  business  units  and 
saying,  ‘This  is  your  cost ,  and  we’re  going  to  charge 
any  fees  associated  with  maintaining  such  an  out¬ 
dated  program.’  That  might  kick  the  business  unit 
into  gear.” 

Wrap  It,  Isolate  It,  Lock  It  Away 

The  riskiest  situation  arises  when  the  oldest  tech¬ 
nology  is  suddenly  exposed  to  the  latest,  most 
cutting-edge  channels. 

“You  can’t  simply  expose  a  legacy  system  that 
was  never  intended  to  be  exposed  that  way,”  says 
Unisys’s  Thompson. 

“Many  of  our  customers  are  pressed  to  embrace 
these  things,  but  it  has  to  be  done  in  a  disciplined 
way.  Change  isn’t  always  good.  A  healthy  re¬ 
spect  for  the  underlying  code  base  is  important,” 
he  says. 


A  bank,  for  example,  may  want  to  allow 
customers  to  check  their  account  balances  via  a 
website,  a  text  message,  a  smartphone,  a  watch, 
augmented  reality  glasses  or  some  other  new¬ 
fangled  device. 

Putting  a  wrapper  in  place  around  the  core  bank¬ 
ing  software  would  help  protect  the  underlying 
legacy  system  and  allow  developers  to  create  new 
access  points  without  touching  the  core  code  base 
itself,  he  says. 

“Make  sure  the  wrapper  checks  so  that  the  only 
transaction  that  gets  through  is  checking  the  bal¬ 
ance,  and  nothing  else,”  he  says. 

A  legacy  system  isn’t  just  vulnerable  to  exter¬ 
nal  threats,  of  course — many  threats  aren’t  com¬ 
ing  directly  from  the  outside,  but  from  other 
compromised  systems  that  are  also  behind  the 
company  firewall. 

According  to  Thompson,  enterprises  need  to 
stop  thinking  of  their  networks  like  an  M&M — a 
hard,  crispy  shell  protecting  the  soft  chocolate 
goodness  on  the  inside. 

“You  need  to  think  of  a  world  in  which  what’s 
inside  the  M&M  is  more  M&Ms,”  he  says.  “So  that 
people  who  get  in  through  email  can’t  go  the  point- 
of-sale  system,  to  the  core  banking  system.  The 
email  system  has  no  business  talking  to  the  core 
banking  system. 

“You  have  to  take  the  approach  that  you  are  going 
to  get  hacked,  not  that  you’ll  put  up  a  Maginot  line 
of  peripheral  security  that’s  never  going  to  get 
hacked.” 


■  Maria  Korolov  is  a  freelance  technology  writer  based 
in  Massachusetts. 


March  2014  www.csoonline.com  31 


By  the  Numbers:  Identity  Fraud 


©  Javelin  Strategy  and  Research 
recently  published  its  11th  annual 
study  of  identity  fraud.  The  research 
surveyed  5,634  U.S.  consumers  in 
October  of  2013  and  found  that 
the  number  of  people  affected  by 
data  breaches  has  risen  in  the  past 
two  years.  Among  the  results: 

13.1  million 

Number  of  people  affected 
by  identity  fraud  in  2013 


lin5 

Proportion  of  people  who,  in  2011, 
received  data-breach  notifications 
and  later  became  a  victim  of  fraud 


lin3 

Proportion  of  people  who,  in  2013, 
received  data  breach  notifications 
and  later  became  a  victim  of  fraud 


46% 


16% 

Percentage  of  people  with 
compromised  Social  Security 
numbers  who  later  become 
fraud  victims 


$48  billion 

Total  estimated  financial  impact 
of  identity  fraud  in  2003 


$18  billion 


Percentage  of  people  with  Total  estimated  financial  impact 

compromised  debit  cards  who  of  identity  fraud  in  2013 

later  become  fraud  victims 


32  www.C800nline.com  MARCH  2014 


:  -c>, 


To  register  for  Insider  exclusive  content  visit: 

www.csoonline.com/insiders/index 


Want  to  be 


in  the  know 


about  the 


latest 


security 
topics  and 
trends? 


Become  a  CSO 


You’ll  gain  exclusive  access  to  premium 

content  and  resources,  including: 

■  What  to  buy.  In-depth  reviews  of  security 
and  IT  solutions 

■  Executive  and  Peer  Interviews  and  Insights. 
Deep  dives  with  the  industry’s  top  thinkers 

■  Practical  tips.  How-to  articles  for  security 
and  IT  professionals 

■  Exclusive  research  &  analysis.  Incisive  reports, 
case  studies,  and  more 

■  How  to  get  ahead.  Career  advice  from  industry 
experts  and  peers 

■  Invitations  to  select  events.  Get  the  inside  edge 


Mobile  Devices  Supported  on  a  Single  Cisco  Unified  Computing  System 


67% 


Reduction  in 
Desktop  TCO 


V  V  V  v  v~ 

v  v  v  v  W 

v  v  v  v 

V  V  •>  V  •**" 

A  V  •!•  a 

A  A  A  A  .7.7. 


67 


■* 

»  «  *  •' »  9  ft 


»**«a  « 


»** 

»«  a** 

«  •••**** 
*•««*«**» 
•«*•«««•• 

»«*»«*• 

•  ***»*«6«<S 


Microsoft  Windows ®  Desktops  in  30  Minutes 


Cisco 

Unified 

Computing 

System 


Best-in-Class  Virtualization 
with  Cisco  Servers. 

Find  out  more  at  cisco.com/servers 


With 

Inter  Xeon@ 
processors 


•  1 1 1  •  1 1 1 1 
CISCO. 


TOMORROW 
starts  here. 


For  more  performance  information ,  visit  cisco.com/go/ucsbenchmarks. 

©2013  Cisco  and/or  its  affiliates.  All  rights  reserved.  All  third-party  products  belong  to  the  companies  that  own  them.  Cisco,  the  Cisco  logo,  and  Cisco  UCS  are  trademarks  or  registered  trademarks  of  Cisco  and/or  its  affiliates  in  the 
U.S.  and  other  countries.  Intel,  the  Intel  logo,  Xeon  and  Xeon  Inside  are  trademarks  or  registered  trademarks  of  Intel  Corporation  in  the  U.S.  and/or  other  countries.  All  other  trademarks  are  the  property  of  their  respective  owners. 


